SeverityCVE CodeAffected ComponentSources
HighTelegram desktop for windowsXss forum (onion link), Github issues (fix)

In short

Telegram, a popular messaging platform, recently addressed a critical zero-day vulnerability in its Windows desktop application. This vulnerability allowed for the automatic launch of Python scripts without triggering security warnings, posing a significant threat.

Understand the vulnerability

Initially, there were rumors (X) of a potential remote code execution (RCE) flaw within Telegram for Windows, with some reports suggesting it was a zero-click vulnerability. However, further investigation revealed that users needed to interact with the malware to trigger the exploit.

  • A proof of concept exploit surfaced, indicating that a typo in the Telegram source code facilitated the execution of Python scripts without triggering security warnings. The vulnerability stemmed from Telegram’s handling of file extensions (the “pyzw” extension, the non-existent file name “pywz” was written). While the app displayed security warnings for known risky file types, unknown file types were automatically launched, relying on the operating system’s default behavior.

Fixes

Telegram acknowledged the issue and swiftly implemented the following measures:

Server-side fix: Telegram implemented a server-side fix to prevent Python scripts from auto-launching, ensuring that all versions of Telegram Desktop were safeguarded against the exploit.

Temporary mitigation: To mitigate the vulnerability, Telegram corrected the extension spelling in its source code and temporarily appended the ‘untrusted’ extension to Python files, prompting users to select a program for opening the file.