Telegram Desktop Security Update: Clarification on Zero-Click Vulnerability Rumors

The alleged vulnerability is reported to affect exclusively those Telegram users who have installed Python on their Windows computers

Python near the computer
A typo in the Python file extension added to Telegram's list of risky files has created a vulnerability in the Windows desktop application

According to the technology news website Bleeping Computer, Telegram has fixed the vulnerability in its Windows desktop application that allegedly facilitated the automated installation of scripts sent through the messaging platform. While Telegram informed the Bleeping Computer team that "A server-side fix has been applied to ensure that even this issue no longer reproduces, so all versions of Telegram Desktop (including all older ones) no longer have this issue," it turns out that the true nature of the vulnerability was different than initially thought.

Read also: Windows Server 2022 Users Alarmed by Unexpected Copilot Installation

One of the parties reporting the potential issue was the Web3 security firm CertiK, which warned its community on April 9 about a "high-risk" vulnerability, possibly of the Remote Code Execution (RCE) type. A vulnerability of this type could give access to a victim’s system, allowing threat actors to execute commands remotely, which poses serious risks, including potential malware distribution, theft of sensitive information, unauthorized access to cryptocurrency wallets, or the installation of cryptocurrency miners. Importantly, CertiK believed all of these actions could occur without the knowledge or consent of the affected device owners, as the vulnerability was suspected to be of a zero-click nature.

In its post, which was no longer available at press time, CertiK claimed that such an issue "exposes users to malicious attacks through specially crafted media files, such as images or videos."

In the same report, CertiK provided instructions on mitigating the potential risks associated with the automated download feature in Telegram, recommending disabling it for each media type across all chat categories, including private chats, groups, and channels. According to CertiK, this could be done through advanced settings.

Initially, Telegram called the reports about the issue a possible "hoax," claiming that the team "can’t confirm that such a vulnerability exists."

According to Bleeping Computer, the day after the initial vulnerability report, a proof of concept exploit surfaced on an XSS hacking forum, detailing a typo in the Telegram for Windows source code. It turned out that the automated execution of files was indeed possible without triggering any Telegram warnings, which are normally expected to appear for executable files. However, this vulnerability enabled the execution of Python .pyzw files due to a typo in the Telegram Windows application’s source code.

Spelling typo in Telegram code
Source: Bleeping Computer

Bleeping Computer stressed the severity of the issue, emphasizing how a Python file could be disguised as a shared video, effectively tricking users into clicking on it. While this proves the existence of the issue, the news platform notes that the video showed clicking on the shared media, suggesting that the vulnerability was not of a zero-click type after all.

"Rumors about the existence of zero-click vulnerabilities in Telegram Desktop are inaccurate," Telegram stated in its comment to Bleeping Computer, adding that "Some 'experts' recommended to 'disable automatic downloads' on Telegram — there were no issues which could have been triggered by automatic downloads."

Yet, Telegram confirmed that contrary to initial reports, the identified issue with its desktop application was not a zero-click vulnerability, as it required clicking on the file. Furthermore, the team behind the messaging software claimed that the vulnerability was relatively limited in scope, affecting less than 0.01% of Telegram Desktop users who have both Python installed and are using the relevant version of the application.

Read also: Roblox Unblocked - Free Robux Generators Spreading Malware on the Rise

"A server-side fix has been applied to ensure that even this issue no longer reproduces, so all versions of Telegram Desktop (including all older ones) no longer have this issue," the team emphasized, indicating that the problem had already been resolved.

Bleeping Computer provided further details on the nature of the vulnerability, explaining that while the desktop application warns its users when attempting to open executable types included in its list of risky file extensions, it does not prevent the automated launch of unknown file types shared through Telegram. This allows the operating system to determine the appropriate program to use and execute the file.

While the news platform team believes the implementation of a security warning message can effectively prevent the automatic execution of unknown file types, the issue with Python files was exacerbated by the typo in the application code mentioned earlier. Telegram developers mistakenly added the .pyzw extension to their list of risky file types with a typo, entering it as "pywz" instead of the correct "pyzw." As a result, when these files were sent over Telegram and clicked on, they bypassed security warnings and were automatically launched.

At the same time, many tech-savvy users recommend that others refrain from using any messaging applications initially designed for mobile devices on Windows, mainly due to privacy concerns and the risk of malware distribution.

Bleeping Computer also raised concerns about Telegram being aware of the software installed on the Windows machines of its users. The team claims that this type of data is not mentioned in the application’s Privacy Policy.

Meanwhile, in March, the technology news platform ZDNet drew attention to the Peer-to-Peer Login program for a free subscription to the Premium plan introduced by Telegram for Android users in select countries. To leverage a free subscription to the plan, valued at $4.99 per month, users are encouraged to receive and forward SMS login codes for other Telegram users.

ZDNet emphasized that sharing OTP codes could potentially expose users' phone numbers to others, undermining the security of multi-factor authentication where phone numbers play a crucial role. The platform also believes that such an offer also contradicts Telegram's commitment to user privacy and security, providing threat actors with a powerful tool to exploit.