A STICKER ON TELEGRAM COULD HAVE REVEALED YOUR SECRET CHATS
Cybersecurity researchers this week revealed details of a bug, already patched, in the messaging app Telegram, through which a sticker It could have exposed victims' secret messages, photos, and videos to malicious remotely connected users.
The flaws were discovered by the firm Shielder, based in Italy, in the versions of the application for iOS, Android and macOS. Although the report does not mention the version for Linux, we assume that it was also exposed. Following the disclosure of such failures, Telegram It immediately took action through a series of patches released on September 30 and October 2, 2020.
The problems revealed were a consequence of the way the secret chat functionality operates and in the handling of the application of the stickers (Stickers), which allowed attackers to send stickers unsuspecting users and gain access to messages, photos and videos that were exchanged with their contacts from Telegram through the classic and secret chats.
It should be mentioned that exploiting flaws in cyberspace may not be trivial, as it requires binding the aforementioned weaknesses with at least one additional vulnerability in order to circumvent the defenses of security of modern devices. That might seem very difficult, but on the contrary, they are within the reach of both cyber criminal gangs, as well as certain groups sponsored by some nations.
Shielder It said it decided to wait at least 90 days before publicly disclosing the bugs to give users enough time to update their devices.
«Regular security reviews are crucial in software development, especially with the introduction of new features such as animated stickers«Said the researchers. «The bugs we have reported could have been used in an attack to access the devices of political opponents, journalists or dissidents«.
It should be noted that this is the second bug discovered in the secret chat function of Telegram, after a privacy bug was reported last week in its macOS app that allowed access to self-destructing audio and video messages long after they disappeared from secret chats.
It is also worth noting that it is not the first time that images and multimedia files sent through messaging services have become weapons to carry out nefarious attacks.
In March 2017, researchers from Check Point Research revealed a new form of attack against web versions of Telegram Y WhatsApp, which consisted of sending users apparently innocuous image files containing malicious code that, when opened, could have allowed an adversary to completely take control of user accounts in any browser, and access the personal and group conversations of victims, photos, videos and contact lists.
Source: Shielder Security Blog