A sticker sent on a telegram could have revealed your secret conversations

On Monday, cybersecurity researchers revealed details of a now corrected flaw in the Telegram messaging app that could have exposed users’ secret messages, photos and videos to malicious actors remotely.

The issues were discovered by Italy-based Shielder in the iOS, Android, and macOS versions of the app. Following responsible disclosure, Telegram addressed them in a patch series on September 30 and October 2, 2020.

The flaws stemmed from the way the secret chat feature works and the app’s handling of animated stickers, allowing attackers to send ill-formed stickers to unsuspecting users and gain access to messages, photos and videos that were exchanged with their Telegram contacts both secret chats.

One caveat to note is that exploiting vulnerabilities in the wild may not have been trivial, as it requires chaining the aforementioned weaknesses to at least one additional vulnerability in order to bypass device security defenses. modern day. It may sound prohibitive, but on the contrary, they are well within reach of cybercrime gangs and nation state groups.

Shielder said he chose to wait at least 90 days before publicly revealing the bugs in order to give users enough time to update their devices.

“Periodic security reviews are crucial in software development, especially with the introduction of new features, such as animated stickers,” the researchers said. “The flaws we have reported could have been used in an attack to gain access to the devices of political opponents, journalists or dissidents.”

It should be noted that this is the second flaw discovered in Telegram’s secret chat function, following reports last week of a privacy-invasive bug in its macOS app that allowed users to access self-destructive audio and video messages long after their secret chats disappear.

This is not the first time that images and media files sent via email services have been used to carry out malicious attacks.

In March 2017, researchers at Check Point Research revealed a new form of attack against web versions of Telegram and WhatsApp, which involved sending users seemingly harmless image files containing malicious code that, once opened, could have allow an adversary to take control of user accounts. on any browser and access personal and group conversations, photos, videos and contact lists of victims.