Hacking

Telegram flaw could have allowed access to users secret chats

Experts at Shielder disclosed a flaw in the Telegram app that could have exposed users’ secret messages, photos, and videos to remote attackers.

Researchers at cyber security firm Shielder discovered a critical flaw affecting iOS, Android, and macOS versions of the instant messaging app Telegram.

The experts discovered that sending a sticker to a Telegram user could have exposed his secret chats, photos, and videos to remote attackers.

In 2019, Telegram had introduced in animated stickers, this was the starting point for the investigation of the experts. The “rlottie” folder caught their attention, it was the folder used for the Samsung native library for playing Lottie animations, originally created by Airbnb.

The experts discovered multiple flaws affecting the way secret chat functionality is implemented and Telegram was handling animated stickers, An attacker could have exploited the flaw by sending malformed stickers to unsuspecting users and gain access to messages, photos, and videos that were exchanged through both classic and secret chats.

“What follows is my journey in researching the lottie animation format, its integration in mobile apps and the vulnerabilities triggerable by a remote attacker against any Telegram user. The research started in January 2020 and lasted until the end of August, with many pauses in between to focus on other projects.” reads the analysis published by Shielder experts.

“During my research I have identified 13 vulnerabilities in total: 1 heap out-of-bounds write, 1 stack out-of-bounds write, 1 stack out-of-bounds read, 2 heap out-of-bound read, 1 integer overflow leading to heap out-of-bounds read, 2 type confusions, 5 denial-of-service (null-ptr dereferences).”

The experts used a fuzzy approach to test the Samsung’s C++ library rlottie to parse Lottie animations and triaging the crashes. This library was used by Telegram developers instead of the Airbnb’s one.

“It’s important to note here also that Telegram developers chose to fork the rlottie project and maintain multiple forks of it, which makes security patching especially hard.” continues the report. “This will turn out to be an additional problem since the Samsung’s rlottie developers do not track security issues caused by untrusted animations in their project because they are not “the intended use case for rlottie” (quote from https://gitter.im/rLottie-dev/community ).”

Once launched the AFL-fuzz, experts observed multiple crashes some of them were caused by serious issues, including heap-based out-of-bounds read/write, stack-based out-of-bounds write and high-address SEGVs.

Telegram has addressed the flaw with the release of security updates on September 30 and October 2, 2020.

Shielder decided to give 90 days before publicly disclose their findings to give users the time to update their devices.

“Today I shared with you the story of how I have found 13, some with a higher impact than others but all which were promptly fixed by Telegram for all the device families supporting secret chats: Android, iOS and macOS.” concludes the experts. “This research helped me understand once more that it’s not trivial to limit attack surfaces at scale in end-to-end encrypted contexts without losing functionalities.”

I suggest reading the step by step analysis published by Shielder.

Last week, security researcher Dhiraj Mishra reported a bug in Telegram macOS app that made it possible to access self-destructing audio and video messages long after they disappeared from secret chats.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Telegram)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

2 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

16 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

23 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.