‘High risk’ Telegram vulnerability exposes users to attacks – CertiK
Update April 9, 2:40 pm UTC: Telegram denies the existence of the RCE vulnerability to Telegram customers, but some security experts say it's a known issue.
A major vulnerability in Telegram Messenger is exposing users to malicious attacks, according to a new report by blockchain security firm CertiK.
CertK Alert took to social media platform X on April 9 to warn the public of a “high vulnerability in the wild” that allows hackers to conduct remote code execution (RCE) through the Telegram medium.
According to the article, the CertK team discovered a “potential RCE” attack on the Telegram desktop app in the Telegram media process.
“This vulnerability exposes users to malicious attacks with specially crafted media files such as images or videos,” CertiK wrote.
A Certike spokesperson told Cointelegraph that the vulnerability is limited to the desktop Telegram app because mobile “doesn't directly run executable programs like desktops, which generally require a signature.” The representative pointed out that the news on the matter came from the security community.
To avoid the vulnerability, users should check their Telegram desktop configuration and disable the auto-download feature. The feature can be disabled by going to “Settings” and tapping on “Advanced”.
Under the “Automatic Media Download” section, disable auto-download for ‘Photos', ‘Videos' and ‘Files' in all chat types (private chats, groups and channels).
A Telegram spokesperson told Cointelegraph that the company “cannot confirm the existence of such a vulnerability in Telegram customers.”
According to crypto enthusiast and gray hat SEO Yannick Eckl, the problem of automatic downloading of media files and RCE attacks in Telegram is not new. “This is a known issue in many, but obviously not all, IT-security circles,” Eckel told Cointelegraph.
Telegram is a leading crypto-friendly messenger that allows users to communicate and exchange files and transfer cryptocurrencies such as Bitcoin (BTC) and Toncoin (TON) using a wallet solution simply called Wallet.
The “custodial” part means that the Wallet does not provide its private keys to users by default, but instead protects the assets itself to avoid the self-protection responsibilities of industry newcomers.
Related: Telegram channels are eligible for 50% of ad revenue, but there's a catch.
The vulnerability discovered by Telegram is not the first. In the year In 2023, Google engineer Dan Reva discovered a critical bug that allowed attackers to disable the camera and microphone on laptops running macOS.
In the year In 2021, a Shielder security researcher discovered a similar media-related issue on Telegram, which allowed attackers to send enhanced animated stickers that could expose victims' information.
Telegram has been actively addressing potential vulnerabilities in the app. Telegram's bug bounty program has been running since 2014 and gives developers and the security researcher community an opportunity to submit their reports and qualify for a bounty ranging from $100 to $100,000 or more, depending on the severity of the issue.
Magazine: 1 in 6 new Base meme coins are scams, 91% vulnerable
