A total of thirteen vulnerabilities were discovered and subsequently patched by the Dubai-based app.
An investigation by IT security consultants, Shielder, has revealed dozens of vulnerabilities within the Telegram app. Telegram introduced stickers in 2019, and what began as research into this new feature's source code became an eight-month investigation of more than a dozen security exploits.
These flaws enabled remote attackers to send malicious stickers to other users to gain access to private messages, photos, and videos. Writing for Shielder, a reporter named "polict" detailed how the stickers would only be rendered when a Telegram chat was opened – so users could potentially skirt vulnerabilities by ignoring suspicious messages.
However, if a user did open a chat containing a malformed sticker, the flaw would activate – and do so every subsequent time that chat was opened.
"Since the animated sticker is downloaded on the device", said polict. "this turned useless memory corruptions (such as null-pointer dereferences) into an annoyingly persistent crash which would have prevented non-technical victims from accessing the previous messages in the chat".
Exploits were detected on the macOS, iOS, and Android Telegram apps, and were surprisingly complex. To sidestep the security defenses found in most devices, attackers would need to connect vulnerabilities to another flaw in a chain – a finicky process that would not, however, deter determined attackers.
During the course of its investigation, Shield uncovered 13 vulnerabilities including:
- 1 heap out-of-bounds write
- 1 stack out-of-bounds write
- 1 stack out-of-bounds read
- 2 heap out-of-bounds read
- 1 integer overflow leading to heap out-of-bounds read
- 2 type confusions
- 5 denial-of-service flaws
Fortunately, the threats have since been reported. polict claims that Shielder waited 90 days before disclosing the flaws to Telegram so that its users could update their devices.
Telegram itself has also confirmed that the bugs have been addressed – namely with a run of patches that landed on September 30 and October 2, 2020. Updates were made available for macOS, iOS and Android clients, and Telegram users no longer need to worry about malicious stickers provided they have updated the app within the last four months.
Before starting this research in 2019 I would have been pretty skeptical if you had asked me whether the following year I'd find a single memory corruption in Telegram. Today I shared with you the story of how I have found 13, some with a higher impact than others but all which were promptly fixed by Telegram.
Telegram may have acted swiftly to patch the exposed vulnerabilities, but their existence in the first place is a blow to the app's reputation – particularly as it touts itself as a secure alternative to WhatsApp.
However, Telegram's secret chat feature is no stranger to privacy concerns. It was uncovered last week that self-destructing audio and video messages were still accessible beyond their expiration, thanks to a bug in the macOS app.