Researchers have discovered a serious security vulnerability in the popular messaging Telegram. The vulnerability mainly exists in the Telegram Bot API. In fact, researchers have also found the API infected with ‘GoodSender’ malware as well. Telegram is yet to respond in this regard.
Telegram Bot API Encryption Vulnerability
As reported recently, researchers from Forcepoint Security Labs have found a Telegram Bot API flaw leading to a privacy breach. Exploiting this flaw can let an attacker gain access to all messages sent and received by the Bot. Precisely, the present discovery does not hint a fault; rather a vulnerability due to the encryption feature of Telegram Bot API.
According to the Forcepoint, Telegram uses MTProto encryption for regular messages. However, in the case of Bot APIs, the messages are protected by TLS only. Thus, an adversary can potentially perform MiTM attacks on the target’s HTTPS to snoop on the messages. All an adversary needs is to obtain and exploit certain pieces of information, such as Bot API token.
Explaining one such method, the researchers stated,
“Equipped with these pieces of information, there are a number of methods that can be called from the Telegram Bot API. In our case, the forwardMessage() method is particularly useful, as it allows any message from any chat a given bot has access to be forwarded to an arbitrary Telegram user. To do this we need the API token and the ‘source’ chat_id (either extracted from previous messages sent by the bot or, in the case of malware, from the binary itself) – along with the ‘target’ chat_id (which is our own user id) and finally the message id we would like to forward.”
A potential attacker can simply exploit this vulnerability via a malware. In fact, the researchers actually found malware actively exploiting the flaw and using the Bot API as its Command and Control (C2) channel. They have identified this malware as “GoodSender” – a Windows malware that has been around for over a year.
About The “GoodSender” Malware
As stated in their report, Forcepoint basically spotted the malware first when they were investigating the ways to circumvent Telegram encryption. They found the “GoodSender”, a .NET malware, exploiting Telegram Bot API as C&C channel to access victim’s messages. Explaining how it works, they stated,
“Once the malware is dropped it creates a new administrator user and enables remote desktop as well as making sure it’s not blocked by the firewall. The username for the new admin user is static, but the password is randomly generated. All of this information (the username, password, and IP address of the victim) is sent to the operator through the Telegram network, thus providing the operator with access to the victim’s computer through RDP.”
Regarding the vector used to deploy this malware, Forcepoint believes that the attacker may supposedly have exploited EternalBlue. He may already have scanned several US and Vietnamese IPs and have a list of vulnerable ones to target. The researchers have found the malware predominantly active in the US.
While they have already informed Telegram of the vulnerability, Telegram officials haven’t yet responded to this matter yet. So, until a patch rolls-out, the researchers recommend Telegram users to avoid using the Telegram Bot. Moreover, they should also stay away from such groups and channels with bots.