Messaging app Telegram was beset with vulnerabilities last year after one security researcher discovered 13 in the course of a single investigation. Writing for IT security firm Shielder, an individual known as “polict” also confirmed that all the security bugs have been responsibly reported to Telegram and subsequently fixed.
The Telegram vulnerabilities were initially discovered after investigating the source code for new animated stickers that the secure messaging app launched in 2019. The flaws allowed attackers to send malicious stickers to victims in order to gain access to private messages, photos, and videos. Although the exploit was far from straightforward, there’s no guarantee that this would have discouraged sophisticated threat actors.
The 13 vulnerabilities included one heap out-of-bounds write, one stack out-of-bounds write, one stack out-of-bounds read, two heap out-of-bound read, one integer overflow leading to heap out-of-bounds read, two type confusions, and five denial-of-service flaws.
All patched up
“Before starting this research in 2019 I would have been pretty skeptical if you had asked me whether the following year I’d find a single memory corruption in Telegram,” polict wrote. “Today I shared with you the story of how I have found 13, some with a higher impact than others but all which were promptly fixed by Telegram for all the device families supporting secret chats: Android, iOS, and macOS. This research helped me understand once more that it’s not trivial to limit attack surfaces at scale in end-to-end encrypted contexts without losing functionalities.”
Following the discoveries, security researchers waited 90 days before informing Telegram of the security issues. They have since all been patched, following updates for the Android, iOS, and macOS versions released in September and October of last year. Essentially, if you have updated your Telegram app within the last four months, you will be protected.
Although Telegram acted swiftly to patch the flaws, the vulnerabilities are still somewhat embarrassing for the messaging app. Telegram prides itself on the privacy and security it can offer its users, making any security bugs particularly damaging to the app’s reputation.
Via Shielder