A Sticker Sent On Telegram Could Have Exposed Your Secret Chats

enaph

enaph

Level 28
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,790
Content source
https://thehackernews.com/2021/02/a-sticker-sent-on-telegram-could-have.html
Cybersecurity researchers on Monday disclosed details of a now-patched flaw in the Telegram messaging app that could have exposed users' secret messages, photos, and videos to remote malicious actors.

The issues were discovered by Italy-based Shielder in iOS, Android, and macOS versions of the app. Following responsible disclosure, Telegram addressed them in a series of patches on September 30 and October 2, 2020.

The flaws stemmed from the way secret chat functionality operates and in the app's handling of animated stickers, thus allowing attackers to send malformed stickers to unsuspecting users and gain access to messages, photos, and videos that were exchanged with their Telegram contacts through both classic and secret chats.

One caveat of note is that exploiting the flaws in the wild may not have been trivial, as it requires chaining the aforementioned weaknesses to at least one additional vulnerability in order to get around security defenses in modern devices today. That might sound prohibitive, but, on the contrary, they are well in the reach of both cybercrime gangs and nation-state groups alike.

Shielder said it chose to wait for at least 90 days before publicly revealing the bugs so as to give users ample time to update their devices.

"Periodic security reviews are crucial in software development, especially with the introduction of new features, such as the animated stickers," the researchers said. "The flaws we have reported could have been used in an attack to gain access to the devices of political opponents, journalists or dissidents."

It's worth noting that this is the second flaw uncovered in Telegram's secret chat feature, following last week's reports of a privacy-defeating bug in its macOS app that made it possible to access self-destructing audio and video messages long after they disappeared from secret chats.

This is not the first time images, and multimedia files sent via messaging services have been weaponized to carry out nefarious attacks.

In March 2017, researchers from Check Point Research revealed a new form of attack against web versions of Telegram and WhatsApp, which involved sending users seemingly innocuous image files containing malicious code that, when opened, could have allowed an adversary to take over users' accounts on any browser completely, and access victims' personal and group conversations, photos, videos, and contact lists.
Click to expand...
 
  • Like
  • +Reputation
  • Wow
Reactions: ForgottenSeer 85179, Gandalf_The_Grey, Venustus and 5 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
'Evil Telegram' Android apps on Google Play infected 60K with spyware
Replies
5
Views
1,983
News Archive
TairikuOkami
TairikuOkami
[correlate]
    • Wow
    • Sad
The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15
Replies
0
Views
1,177
News Archive
[correlate]
[correlate]
silversurfer
    • +Reputation
    • Like
Lookalike Telegram and WhatsApp Websites Distributing Cryptocurrency Stealing Malware
Replies
0
Views
560
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top