April 12, 2024 at 02:47PM
The Telegram Windows desktop app had a zero-day vulnerability allowing the automatic launch of Python scripts. Telegram disputed these claims, but a proof of concept exploit was shared on a hacking forum. Telegram fixed this issue with a server-side fix. Telegram’s Desktop client has also been modified to prevent such issues in the future.
Based on the meeting notes, the quick and effective summary would be as follows:
Telegram faced vulnerabilities in its Windows desktop application that allowed bypassing security warnings and automatically launching Python scripts. These issues included a typo in the source code for Telegram for Windows, which could be exploited to send Python files that bypassed security warnings when clicked. A proof of concept exploit disguised the Python file as a shared video, allowing attackers to remotely execute code on a target’s Windows device. Telegram has responded by making server-side fixes and future versions of the Telegram Desktop app will include additional security measures to prevent such issues.