Cybersecurity researchers on Monday revealed details of a now-patched bug in the Telegram messaging app that could have exposed users’ secret messages, photos and videos to outside malicious actors.
The problems were discovered by Italy-based Shielder in iOS, Android and macOS versions of the app. After responsible disclosure, Telegram addressed them in a series of patches on September 30 and October 2, 2020.
The shortcomings stemmed from the way the secret chat functionality works and the app’s handling of animated stickers, which allows attackers to send malformed stickers to unsuspecting users and access messages, photos and videos exchanged with their Telegram contacts via both classic as well as secret chats.
One caveat is that exploiting the flaws in the wild may not have been trivial, as it requires the aforementioned vulnerabilities to be tied to at least one additional vulnerability to bypass current security measures in modern devices. That may sound priceless, but quite the contrary, they are well within reach of cybercrime gangs as well as nation-state groups.
Shielder said it chose to wait at least 90 days for the bugs to be publicly disclosed so that users have plenty of time to update their devices.
“Periodic security reviews are critical in software development, especially with the introduction of new features such as the animated stickers,” said the researchers. “The flaws we reported could have been used in an attack to gain access to the devices of political opponents, journalists or dissidents.”
It’s worth noting that this is the second bug discovered in Telegram’s Secret Chat feature, following last week’s reports of a privacy-wrecking bug in the macOS app that allowed access to self-destructing audio and video messages long after they disappeared from secret chats. .
This is not the first time that images and multimedia files sent through messaging services have been armed to carry out nefarious attacks.
In March 2017, Check Point Research researchers unveiled a new form of attack on web versions of Telegram and WhatsApp, sending users seemingly harmless image files containing malicious code that, when opened, would have enabled an opponent to transfer users’ accounts. take. completely in any browser and access personal and group conversations, photos, videos and contact lists of victims.