On Telegram, hackers exploit a typo to spread their malware

Telegram fixed a zero day vulnerability that could be used to bypass security warnings and automatically launch Python scripts.

The instant messaging platform Telegram had a hard time at the beginning of April 2024 with the discovery of a zero day flaw in its desktop application for Windows. This security flaw, revealed by X.com users and subscribers to hacking forums, made it possible to bypass the application’s security warnings and automatically execute Python scripts.

Hackers could thus exploit this vulnerability to execute code remotely on the user’s device, making personal data vulnerable. Telegram quickly responded by fixing this vulnerability, which was only due to a human weakness.

From rumor to demonstration of the flaw

Rumors don’t just spread around coffee machines. Reports of a possible remote code execution vulnerability in the desktop version of Telegram for Windows spread like wildfire on hacking forums and on X.com. There was talk of a “zero click” type flaw, even more formidable than simple zero day flaws, as recently in Google Chrome, which does not bode well for users.

Despite claims that a single click on shared media could launch Python script executions on users’ machines, Telegram quickly responded by disputing the claims, even calling the demo videos hoaxes. The post, posted on his X.com account, has since been deleted.

The site Bleeping Computer asked Telegram for an explanation, which made things clear in its response:

Rumors about the existence of zero click vulnerabilities in Telegram Desktop are inaccurate. Some “experts” recommended “turning off automatic downloads” on Telegram. There were no issues that could have been triggered by automatic downloads.

However, on Telegram Desktop, there was an issue that required the user to CLICK on a malicious file, even though the Python interpreter was installed on their computer. Contrary to what has been previously reported, this was not a zero-click vulnerability, and it could only affect a tiny portion of our user base: less than 0.01% of our users have Python installed and are using the corresponding version of Telegram for Desktop.

A server-side fix has been applied to ensure that this issue does not occur again, so all versions of Telegram Desktop (including older ones) no longer have this issue.

A typo behind the zero day flaw

However, the rumor of a zero day flaw persisted. Supporting demonstrations on hacking sites, it turned out that it had been caused by… a simple typo in the source code of the application, allowing the sending of Python “.pyzw” files which bypassed the Telegram security warnings. The automatic execution of these scripts, without prior warning from the application, exposed users to risks for the security of their personal data. Although Telegram disputed the zero-click nature of this flaw, it nonetheless took immediate action to correct the issue, deploying a server-side fix to prevent Python scripts from automatically launching when clicked.

Backed by the wall, Telegram reacted quickly by correcting the spelling of the extension in the source code file. However, this fix does not seem to be effective yet, as the warnings do not appear when clicking on the file to launch it. Instead, Telegram used a server-side patch that adds the “.untrusted” extension to “pyzw” files.

So, when you click on them, Windows asks which program you want to use to open them instead of automatically launching them in Python. Future versions of the Telegram Desktop app are expected to include the security warning message rather than adding the “.untrusted” extension, which will add a bit more security to the process.

Source : Bleeping Computer