A Sticker sent to Telegram account could expose data including Secret chats, Photos, etc
Animated Sticker Bug — Telegram
Telegram — a messaging app with a focus on speed and security, cross-platform, cloud-based instant messaging, video calling, and VoIP service.
Nowadays, threat actors involve in sending malformed codes to take over user accounts including personal data.
And, researchers do hunting for bugs in applications to fix it as not to allow attackers perform such actions in any method.
Where Cyber Security researchers — Italy-based Shielder, disclosed details of the issue in iOS, Android, and macOS versions of the app.
One caveat of note —in order to enter modern devices today, exploiting the flaws in the wild requires chaining the aforementioned weaknesses to at least one additional vulnerability — not be trivial.
Which are very well in the reach of both cybercrime gangs and nation-state groups alike.
Importantly, Telegram addressed them in a series of patches on September 30 and October 2, 2020.
“We chose to wait for at least 90 days before publicly revealing the bugs so as to give users ample time to update their devices” — Shielder said.
“Periodic security reviews are crucial in software development, especially with the introduction of new features, such as the animated stickers,” the researchers said.
Further added, “The flaws we have reported could have been used in an attack to gain access to the devices of political opponents, journalists or dissidents.”
On the other hand, Telegram with new bug Self-Destructing Media Files patch released on January 29.
By default are not end-to-end encrypted, unless users explicitly opt to enable it.
Enabling device-specific feature called “secret chat,” which keeps data encrypted even on Telegram servers.
And, a bug — People Nearby in the secure messaging app — abused to unmask a user’s precise location.
However, Telegram told it’s not an issue. Disable the feature unless you want your location to be accessible by everyone.
Its not first time to carry out nefarious attacks by altering the data sent over messaging services.
Once the malformed stickers sent and opened by users data could have exposed including:
- users’ secret messages
- and, videos to remote malicious actors.
It is recommended to check reputed market place to verify whether latest patch are installed.