Recently, we heard of a vulnerability targeting the Telegram for macOS client. Right after that, another bug report has surfaced online. However, this one sheds light on some older Telegram vulnerabilities that simply required sending animated stickers to exploit. Fortunately, Telegram has addressed the flaws already.
Telegram Vulnerabilities Exposing Chats Via Stickers
An Italian security firm Shielder shared details of some Telegram vulnerabilities that anyone could exploit by sending malicious animated stickers.
As explained in their post, the researcher analyzed the Telegram code following the introduction of animated stickers in the app. Consequently, the researcher could discover 13 different vulnerabilities that could risk the users’ chats’ security.
Specifically, these bugs included 2 heap out-of-bound read, 1 heap out-of-bounds write, 1 stack out-of-bounds read, 1 stack out-of-bounds write, 1 integer overflow leading to heap out-of-bounds read, 5 denial-of-service (null-ptr dereferences), and 2 type confusion flaws.
These vulnerabilities specifically existed in the way the Telegram apps handled animated stickers in secret chats. Briefly, Telegram uses Lottie-based .TGS format for the stickers that makes animated stickers look great without taking much space.
However, all the flaws that Shielder discovered existed in this lottie library.
Hence, it became possible for an adversary to simply send a malicious sticker to the target recipient. Eventually, the attacker could spy on secret chats including both the messages and the media files.
Despite being dangerous, exploiting these vulnerabilities in real-time had some limitations. As stated in the post,
Fortunately the animated stickers are parsed and rendered only when the chat is opened, making these vulnerabilities reachable only if the chat is opened by clicking on it. Furthermore, since the animated sticker is downloaded on the device, everytime the chat is opened the issue triggers; this turned useless memory corruptions (such as null-pointer dereferences) into an annoyingly persistent crash which would have prevented non-technical victims from accessing the previous messages in the chat.
The researchers have also described all these bugs in separate advisories available here.
Telegram Deployed The Fixes Already
Shielder discovered the vulnerabilities during their study lasting from January 2020 to August 2020.
Following the bug reports, Telegram eventually deployed fixes for all the flaws with the release of Telegram for Android v7.1.0 (2090), Telegram iOS v7.1, and Telegram macOS v7.1.
Given that Telegram has released numerous updates since then, many Telegram users have potentially received the patches already. However, those who haven’t updated their messenger apps since October 2020 should ensure updating their devices immediately.