A significant vulnerability in the Telegram messenger poses a severe risk to users, as highlighted in a recent report by blockchain security firm CertiK.
In an alert posted on the social media platform X on April 9, CertiK warned the public about a “high-risk vulnerability in the wild,” potentially enabling hackers to execute remote code execution (RCE) attacks through Telegram’s media processing.
#CertiKInsight ⚠️
We see a high-risk vulnerability in the wild,
Please check your telegram configurations to improve security!
👇👇👇👇👇
Possible RCE was detected in Telegram's media processing in Telegram Desktop application.
This issue expose users to malicious attacks through…— CertiK Alert (@CertiKAlert) April 9, 2024
CertiK’s investigation revealed a potential RCE attack vector in Telegram’s media processing specifically within the Telegram Desktop application. This flaw could allow malicious actors to exploit specially crafted media files, such as images or videos, to launch attacks against users.
According to CertiK, the vulnerability affects the desktop version of Telegram, as mobile devices typically do not execute executable programs like desktops, which generally require signatures. However, the news about the issue originated from the security community.
To mitigate the risk, users are advised to review their Telegram Desktop settings and disable the auto-download feature. This can be done by accessing “Settings” and navigating to “Advanced,” then disabling auto-download for “Photos,” “Videos,” and “Files” across all chat types.
— CertiK Alert (@CertiKAlert) April 9, 2024
Telegram, known for its cryptocurrency-friendly features, including file sharing and transactions, has previously faced security issues. In 2023, a bug was discovered by Google engineer Dan Reva, allowing attackers to access laptop cameras and microphones on macOS.
CVE-2023-26818: Latest blog post on how I found a vulnerability in Telegram's macOS app and was able to bypass TCC, giving me unauthorized access to sensitive user data and recording the user via camera. 🔒 📸#Cybersecurity #macOS https://t.co/HJwvJSE7Tv
— Dan Revah (@danrevah) May 15, 2023
Similarly, in 2021, a security researcher found a media-related vulnerability in Telegram, enabling attackers to send modified animated stickers that could potentially expose users’ data.
Despite these challenges, Telegram has actively addressed security concerns through its bug bounty program, which has been operational since 2014. This program incentivizes developers and security researchers to report vulnerabilities, offering bounties ranging from $100 to $100,000 or more based on the severity of the issue.