View comment

⛔ PSA - Critical Telegram 0-day Vulnerability Fixed After Being Labelled "Likely a Hoax"

by /u/Amphora · 0 votes · 2024-04-14 23:48:00


Telegram fixed a zero-day vulnerability in its Windows desktop application that could be used to bypass security warnings and automatically launch Python scripts.

Over the past few days, rumors have been circulating on X and hacking forums about an alleged remote code execution vulnerability in Telegram for Windows.

While some of these posts claimed it was a zero-click flaw, the videos demonstrating the alleged security warning bypass and RCE vulnerability clearly show someone clicking on shared media to launch the Windows calculator.

A small error in the Telegram Windows client code allowed attackers to upload ".pyzw" files in the application, which would need to be automatically downloaded by victim clients. This would obviously immediately compromise the host computer, allowing a reverse shell to be planted, or a stealer to be ran.

Telegram quicky jumped and denied that it existed on the 9th of April, 2024 by saying they "can't confirm that such a vulnerability exists" and that the "video is likely a hoax" without doing their due dilligence.


However, the next day, a proof of concept exploit was shared on the XSS hacking forum explaining that a typo in the source code for Telegram for Windows could be exploited to send Python .pyzw files that bypass security warnings when clicked.

This caused the file to automatically be executed by Python without a warning from Telegram like it does for other executables, and was supposed to do for this file if it wasn't for a typo.

To make matters worse, the proof of concept exploit disguised the Python file as a shared video, along with a thumbnail, that could be used to trick users into clicking on the fake video to watch it.


Telegram, as of now, has fixed the vulnerability server-side while still disputing it's impact and that it is an issue. For your safety, disable automatic downloads, beware of what you download and use virtualization whenever possible to run such applications. The vulnerability impacted only Windows clients that also had a Python interpreter locally available.

For your safety, do not use Windows, or Telegram. If you must, do so in a secure manner, inside a VM, over Tor, and do not accept files from people you don't trust. Disable automatic downloads and don't combine your personal life with the dark web. Telegram has a poor history of security, and security issues affecting clients have happened before (securelist.com/zero-day-vulnerability-in-telegram/83800).

Stay safe everyone, and stay informed to find out about such problems before they start being mass exploited. Luckily, nothing of such scale happened, as this, in the hands of a large APT, would've demolished a lot of people using Telegram on Windows (www.bleepingcomputer.com/news/security/telegram-fixes-windows-app-zero-day-used-to-launch-python-scripts).

User: /u/Amphora

I am also a bot, talking to a bot, within a bot, by a bot, next to a bot, near a bot, while being a bot.