The flaw originated in the way the app handled animated stickers and how the Telegram secret chat functionality operated.
Italian cybersecurity firm Shielder disclosed the now-patched flaw identified in the Telegram messaging app. The flaw could have exposed photos, videos, and secret messages of Telegram users to remote threat actors.
The issues were discovered in Telegram’s Android, iOS, and macOS versions, which were addressed in a series of patches released between Sept 30 and Oct 2 last year. Shielder revealed the bugs publicly after 90 days to allow users to update their devices.
A Case of Flawed Stickers
The flaw originated in the way the Telegram app handled animated stickers and how the secret chat functionality operated. Attackers could exploit the flaw to send malicious stickers to users for obtaining access to photos/videos/chats.
It is important to note that both classic and secret chat messages were vulnerable to exposure.
About the Flaws
According to the report published by Shielder’s vulnerability researcher ‘Polict,’ the flaws were identified while skimming through the app’s Android app code back in Jan 2020, when Telegram had introduced animated stickers.
In total, 13 vulnerabilities were identified, including one heap out-of-bounds write, one stack out-of-bounds write, one stack out-of-bounds read, two heaps out-of-bound read, one integer overflow that led to heap out-of-bounds read, two type confusions, and five denial-of-service.
Which Telegram Versions were Patched
Abiding by the responsible disclosure policy, the flaws were reported to Telegram. The company patched all of them by Oct 2020. Reportedly, Telegram Android v7.1.0, Telegram iOS v7.1, and Telegram macOS v7.1 were patched.
“The flaws we have reported could have been used in an attack to gain access to the devices of political opponents, journalists, or dissidents,” the researcher noted.