Blockchain security firm CertiK has released a new report showing that there is a new vulnerability on Telegram Messenger that is exposing users to malicious attacks. In its post on X, the security firm mentioned the vulnerability that hackers could use to deploy a remote code execution (RCE) attack through Telegram’s media processing.
CertiK details Telegram’s desktop application’s vulnerability
The post clarified that hackers could take advantage of media processing on Telegram’s desktop application, thereby deploying the RCE attack. CertiK noted that users could be exposed to these malicious attacks through specially made media files. “This issue exposes users to malicious attacks through specially crafted media files, such as images or videos,” CertiK said.
According to a CertiK spokesperson, the said vulnerability is limited to only the desktop application. He notes that the mobile application does not carry out executable programs directly unlike the desktop that requires signatures. The spokesperson also noted that it was the security community that discovered the issue. To avoid the vulnerability, CertiK urged users to disable the auto-download feature in the desktop configuration of their Telegram application.
Users can disable the auto-download feature by clicking on ‘Settings’ and then selecting ‘Advance’. After the automatic media download option pops up, they can toggle the disable button across all media files.
Response and measures to address vulnerabilities
Telegram is a messenger application that has enjoyed quite a success since its launch. The crypto-friendly application allows users to exchange messages, pictures, videos, and digital assets like Bitcoin and Toncoin. It allows users to carry out these crypto-related activities through the use of its custodial wallet called Wallet. The platform holds a custodial wallet to help crypto newbies who are still green when it comes to self-custody.
Telegram swiftly replied to the update on X, noting that the said vulnerability is nonexistent. “We can’t confirm that such a vulnerability exists. This video is likely a hoax,” the messaging app said.
However, it is not the first time that a vulnerability has been reported on the platform. In 2023, Google engineer Dan Reva discovered a bug that could aid hackers in activating the cameras and microphone on macOS laptops.
Telegram has also been working tirelessly to discover and address vulnerabilities on its platform. The messaging app has a bug bounty program that has been running since 2014 offering researchers and developers opportunities to earn rewards of up to $100,000 for discovering issues on the app. Moreover, the app has urged anyone who discovers issues on the app to report them. “Anyone can report potential vulnerabilities in our apps and get a reward,” Telegram said.