Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Telegram RCE (twitter.com/certikalert)
19 points by chickenwidd on April 9, 2024 | hide | past | favorite | 10 comments


I've seen this before. It doesn't work that way, Telegram Desktop first will tell you that "this is an exe file that might be highly dangerous" with a checkbox below to "don't show this again".

Having that said, I think this should still be rejected by the server so it's weird that it worked that way. However, the issue is not as bad as the video claims it to be, a user will be warned.


Telegram answered on Twitter/X:

"We can't confirm that such a vulnerability exists. This video is likely a hoax."

https://twitter.com/telegram/status/1777677055837995151


Anyone have any info on this, how serious it is etc? Very vague post.


Seems like a revive of: https://github.com/desktop-app/lib_webview/commit/77b1712a8f... (2022)

where you could open an app by running window.open("C:\Windows\system32\cmd.exe")

This is a guess based on the behavior in the video, and on the recent fix on Media Preview feature of "Instant View" attachments: https://github.com/telegramdesktop/tdesktop/commit/eaaa704fa... (3 days ago)

so potentially could be just to send an Instant View link pointing to an executable app instead of a website.


And that's why I'm using Unigram on Windows: it runs in a sandbox.

https://github.com/UnigramDev/Unigram


No one has confirmed the vulnerability, there is only a video showing the vuln, it is most likely fake.

Video: https://t.me/exploitorg/30?comment=31


If you’re using a fully-fledged OS for your secure comms (and using telegram off of a mobile device to start with), this probably isn’t your biggest threat.

Disabling of automatic media parsing as suggested is absolutely a wise choice.

This would be pretty bad indeed if it were wormable.


this does seem to be nonsense, but people do really need to consider Telegram to be highly untrustworthy and not providing any privacy guarantees at all.

for some reason, lots of people consider it to be a similar sort of thing to Signal, but it's not - Signal takes privacy and security extremely seriously, Telegram ... does not.


The tweet has been deleted, is there an archive?


Possibly this one https://twitter.com/CertiKAlert/status/1777632812700713254




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: