Severity | CVE Code | Affected Component | Sources |
---|---|---|---|
High | – | Telegram desktop for windows | Xss forum (onion link), Github issues (fix) |
In short
Telegram, a popular messaging platform, recently addressed a critical zero-day
vulnerability in its Windows desktop application. This vulnerability allowed
for the automatic launch of Python
scripts without triggering security
warnings, posing a significant threat.
Understand the vulnerability
Initially, there were rumors (X) of a potential remote code execution (RCE
)
flaw within Telegram for Windows, with some reports suggesting it was a
zero-click vulnerability. However, further investigation revealed that users
needed to interact with the malware to trigger the exploit.
- A proof of concept exploit surfaced, indicating that a typo in the Telegram
source code facilitated the execution of Python scripts without triggering
security warnings. The vulnerability stemmed from Telegram’s handling of file
extensions (the
“pyzw”
extension, the non-existent file name“pywz”
was written). While the app displayed security warnings for known risky file types, unknown file types were automatically launched, relying on the operating system’s default behavior.
Fixes
Telegram acknowledged the issue and swiftly implemented the following measures:
Server-side fix: Telegram implemented a server-side fix to prevent Python scripts from auto-launching, ensuring that all versions of Telegram Desktop were safeguarded against the exploit.
Temporary mitigation: To mitigate the vulnerability, Telegram corrected the extension spelling in its source code and temporarily appended the ‘untrusted’ extension to Python files, prompting users to select a program for opening the file.