Critical Telegram flaw allows hacking a device using animated stickers

A security report from Italian firm Shielder details the finding of a security flaw in the Telegram messaging app that would allow the filtering of users’ private photos, videos and messages. This condition resides in telegram versions for Android, iOS and macOS devices and was reported to developers last October, so the deadline for disclosing these findings has been met.

According to the report the flaw lies in the way Telegram manages animated stickers and their use in the secret chat function. Threat actors can exploit the vulnerability by sending malware-loaded stickers to gain access to private files.

Without adding further details, specialists ensure that the malware contained in these small files can abuse this feature to intercept sensitive files and eventually send them to a server under their control.

The flaws were detected by this group of specialists while analyzing the Telegram code for Android, specifically the update that integrated the use of animated stickers. At the time, experts identified a total of 13 security flaws, including out-of-bounds writes, integer overflows, out-of-bounds read, and denial-of-service failures.

In compliance with the cybersecurity community’s responsible disclosure policy, the failures were notified to Telegram. The company corrected all of these flaws in October 2020. Telegram reports that the updated versions are Android v7.1.0, iOS v7.1 and macOS v7.1. All users of this platform are advised to verify that their device is operating with the latest version of the app.

This is not the only security risk recently reported on Telegram. A few days ago, a group of researchers reported a flaw in the private chat feature that would allow threat actors to steal audio and video files that were intended for self-deletion after a certain period of time: “Version 7.3 of the macOS device app was affected by a vulnerability in the secret chat feature that did not allow the deletion of these records , which would be filtered from the sandbox path in which private files are stored,” mentions the report submitted by researcher Dhiraj Mishra.

To learn more about computer security risks, malware, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.