Telegram fixed a zero-day vulnerability in its Windows desktop application that could be used to bypass security warnings and automatically launch Python scripts.
Over the past few days, rumors have been circulating on X and hacking forums about an alleged remote code execution vulnerability in Telegram for Windows.
While some of these posts claimed it was a zero-click flaw, the videos demonstrating the alleged security warning bypass and RCE vulnerability clearly show someone clicking on shared media to launch the Windows calculator.
A small error in the Telegram Windows client code allowed attackers to upload ".pyzw" files in the application, which would need to be automatically downloaded by victim clients. This would obviously immediately compromise the host computer, allowing a reverse shell to be planted, or a stealer to be ran.
Telegram quicky jumped and denied that it existed on the 9th of April, 2024 by saying they "can't confirm that such a vulnerability exists" and that the "video is likely a hoax" without doing their due dilligence.
However, the next day, a proof of concept exploit was shared on the XSS hacking forum explaining that a typo in the source code for Telegram for Windows could be exploited to send Python .pyzw files that bypass security warnings when clicked.
This caused the file to automatically be executed by Python without a warning from Telegram like it does for other executables, and was supposed to do for this file if it wasn't for a typo.
To make matters worse, the proof of concept exploit disguised the Python file as a shared video, along with a thumbnail, that could be used to trick users into clicking on the fake video to watch it.
Telegram, as of now, has fixed the vulnerability server-side while still disputing it's impact and that it is an issue. For your safety, disable automatic downloads, beware of what you download and use virtualization whenever possible to run such applications. The vulnerability impacted only Windows clients that also had a Python interpreter locally available.
For your safety, do not use Windows, or Telegram. If you must, do so in a secure manner, inside a VM, over Tor, and do not accept files from people you don't trust. Disable automatic downloads and don't combine your personal life with the dark web. Telegram has a poor history of security, and security issues affecting clients have happened before (securelist.com/zero-day-vulnerability-in-telegram/83800).
Stay safe everyone, and stay informed to find out about such problems before they start being mass exploited. Luckily, nothing of such scale happened, as this, in the hands of a large APT, would've demolished a lot of people using Telegram on Windows (www.bleepingcomputer.com/news/security/telegram-fixes-windows-app-zero-day-used-to-launch-python-scripts).
/u/AutoModerator · N/A votes · 14th April, 2024 - 23:48 · Link
Approval is needed for "Telegram" to fight off spammers. Your post may be completely valid. If so, it will get approved shortly. This comment was posted automatically by a bot. All AutoModerator settings are configured by individual communities. Contact this community's Moderators to have your post approved if you believe this was in error.
/u/Amphora · N/A votes · 14th April, 2024 - 23:50 · Link
Thank you dear bot. I will patiently wait.
/u/Fyodor-MD · N/A votes · 15th April, 2024 - 01:42 · Link
haha youre talking to a bot xD
/u/Amphora · N/A votes · 15th April, 2024 - 01:45 · Link
I am also a bot, talking to a bot, within a bot, by a bot, next to a bot, near a bot, while being a bot.
/u/DigitalShaman · N/A votes · 15th April, 2024 - 04:00 · Link
So this is where Autobot disappeared to... he's been stuck on this post.
/u/notyourgirlfriendagain · N/A votes · 15th April, 2024 - 00:50 · Link
Actually funny enough but this was fixed** in Chrome as well a while back. so extensions could use it as sandbox escape, because of auto open and shit.
/u/Amphora · N/A votes · 15th April, 2024 - 00:52 · Link
Telegram is among the most insecure chat applications. Why people use it is beyond my understanding.
/u/AutoModerator · N/A votes · 15th April, 2024 - 00:52 · Link
Approval is needed for "Telegram" to fight off spammers. Your post may be completely valid. If so, it will get approved shortly. This comment was posted automatically by a bot. All AutoModerator settings are configured by individual communities. Contact this community's Moderators to have your post approved if you believe this was in error.
/u/Amphora · N/A votes · 15th April, 2024 - 00:54 · Link
Brother, we got it, stop doing that.
/u/heapoverflow · N/A votes · 15th April, 2024 - 01:07 · Link
Automod is going to have a field day with this post. Lol.
/u/Amphora · N/A votes · 15th April, 2024 - 01:08 · Link
Oh yeah, I can see it already picked on your comment hahaha!
/u/notyourgirlfriendagain · N/A votes · 15th April, 2024 - 02:33 · Link
`Tel¨egram
/u/NeonX · N/A votes · 15th April, 2024 - 07:48 · Link
[pending moderation]
/u/AutoModerator · N/A votes · 15th April, 2024 - 07:48 · Link
Approval is needed for "Telegram" to fight off spammers. Your post may be completely valid. If so, it will get approved shortly. This comment was posted automatically by a bot. All AutoModerator settings are configured by individual communities. Contact this community's Moderators to have your post approved if you believe this was in error.
/u/NeonX · N/A votes · 15th April, 2024 - 07:49 · Link
Oh come on...
/u/footsteps · N/A votes · 15th April, 2024 - 07:10 · Link
Because the human brain is energy-conservative (i.e.: lazy), and picks things based on emotion rather than analysis.
/u/heapoverflow · N/A votes · 15th April, 2024 - 01:06 · Link
[pending moderation]
/u/AutoModerator · N/A votes · 15th April, 2024 - 01:06 · Link
Approval is needed for "Telegram" to fight off spammers. Your post may be completely valid. If so, it will get approved shortly. This comment was posted automatically by a bot. All AutoModerator settings are configured by individual communities. Contact this community's Moderators to have your post approved if you believe this was in error.
/u/Amphora · N/A votes · 15th April, 2024 - 01:09 · Link
The damn bot is going nuts.
/u/AutoModerator · N/A votes · 15th April, 2024 - 01:20 · Link
Approval is needed for "Telegram" to fight off spammers. Your post may be completely valid. If so, it will get approved shortly. This comment was posted automatically by a bot. All AutoModerator settings are configured by individual communities. Contact this community's Moderators to have your post approved if you believe this was in error.
/u/DMTeam · N/A votes · 15th April, 2024 - 02:10 · Link
[pending moderation]
/u/AutoModerator · N/A votes · 15th April, 2024 - 02:10 · Link
Approval is needed for "Telegram" to fight off spammers. Your post may be completely valid. If so, it will get approved shortly. This comment was posted automatically by a bot. All AutoModerator settings are configured by individual communities. Contact this community's Moderators to have your post approved if you believe this was in error.
/u/miner21 · N/A votes · 15th April, 2024 - 05:22 · Link
Thank you for the PSA. Glad TG is so transparent with their vulnerability issues....shm
/u/billy_hotdog · N/A votes · 15th April, 2024 - 06:07 · Link
[removed]
/u/billy_hotdog · N/A votes · 15th April, 2024 - 06:09 · Link
[removed]
/u/asfaleia · N/A votes · 15th April, 2024 - 06:10 · Link
[pending moderation]
/u/AutoModerator · N/A votes · 15th April, 2024 - 06:10 · Link
Approval is needed for "Telegram" to fight off spammers. Your post may be completely valid. If so, it will get approved shortly. This comment was posted automatically by a bot. All AutoModerator settings are configured by individual communities. Contact this community's Moderators to have your post approved if you believe this was in error.
/u/rasclatbunn · N/A votes · 15th April, 2024 - 10:52 · Link
[pending moderation]
/u/AutoModerator · N/A votes · 15th April, 2024 - 10:52 · Link
Approval is needed for "Telegram" to fight off spammers. Your post may be completely valid. If so, it will get approved shortly. This comment was posted automatically by a bot. All AutoModerator settings are configured by individual communities. Contact this community's Moderators to have your post approved if you believe this was in error.
/u/rasclatbunn · N/A votes · 15th April, 2024 - 11:20 · Link
if you put effort into the code to completely decouple the original client from the messaging servers, come up with a way to securely store information about conversations, and add some extra features like the ability to chat without internet and the ability to deploy mesh networks, you will end up with a decent application that can truly be considered a secure messenger.