Home Cyber Security News Now-Patched Telegram Vulnerabilities Could Allow Spying On Chats Via Animated Stickers

Now-Patched Telegram Vulnerabilities Could Allow Spying On Chats Via Animated Stickers

by Abeerah Hashim
Telegram vulnerabilities via animated stickers

Recently, we heard of a vulnerability targeting the Telegram for macOS client. Right after that, another bug report has surfaced online. However, this one sheds light on some older Telegram vulnerabilities that simply required sending animated stickers to exploit. Fortunately, Telegram has addressed the flaws already.

Telegram Vulnerabilities Exposing Chats Via Stickers

An Italian security firm Shielder shared details of some Telegram vulnerabilities that anyone could exploit by sending malicious animated stickers.

As explained in their post, the researcher analyzed the Telegram code following the introduction of animated stickers in the app. Consequently, the researcher could discover 13 different vulnerabilities that could risk the users’ chats’ security.

Specifically, these bugs included 2 heap out-of-bound read, 1 heap out-of-bounds write, 1 stack out-of-bounds read, 1 stack out-of-bounds write, 1 integer overflow leading to heap out-of-bounds read, 5 denial-of-service (null-ptr dereferences), and 2 type confusion flaws.

These vulnerabilities specifically existed in the way the Telegram apps handled animated stickers in secret chats. Briefly, Telegram uses Lottie-based .TGS format for the stickers that makes animated stickers look great without taking much space.

However, all the flaws that Shielder discovered existed in this lottie library.

Hence, it became possible for an adversary to simply send a malicious sticker to the target recipient. Eventually, the attacker could spy on secret chats including both the messages and the media files.

Despite being dangerous, exploiting these vulnerabilities in real-time had some limitations. As stated in the post,

Fortunately the animated stickers are parsed and rendered only when the chat is opened, making these vulnerabilities reachable only if the chat is opened by clicking on it. Furthermore, since the animated sticker is downloaded on the device, everytime the chat is opened the issue triggers; this turned useless memory corruptions (such as null-pointer dereferences) into an annoyingly persistent crash which would have prevented non-technical victims from accessing the previous messages in the chat.

The researchers have also described all these bugs in separate advisories available here.

Telegram Deployed The Fixes Already

Shielder discovered the vulnerabilities during their study lasting from January 2020 to August 2020.

Following the bug reports, Telegram eventually deployed fixes for all the flaws with the release of Telegram for Android v7.1.0 (2090), Telegram iOS v7.1, and Telegram macOS v7.1.

Given that Telegram has released numerous updates since then, many Telegram users have potentially received the patches already. However, those who haven’t updated their messenger apps since October 2020 should ensure updating their devices immediately.

You may also like

1 comment

Priest February 22, 2021 - 12:38 pm

Well, that’s exactly what I was speaking about. Telegram is also not the best alternative to WhatsApp as it faced privacy issues not once and now again. I prefer something absolutely anonymous where I don’t have to provide any data. Like Utopia p2p. But seems like people don’t really care about their privacy and change apps from one to another, but it doesn’t really change much.

Comments are closed.

Latest Hacking News

Privacy Preference Center

Necessary

The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]

Advertising

DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.

doubleclick

Analytics

The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid