WingNews logo WingNews GitHub [2]
top | item 39978377

Telegram RCE

19 points| chickenwidd | 1 year ago |twitter.com | reply

10 comments

order
[+] wheresmyshadow|1 year ago|reply
I've seen this before. It doesn't work that way, Telegram Desktop first will tell you that "this is an exe file that might be highly dangerous" with a checkbox below to "don't show this again".

Having that said, I think this should still be rejected by the server so it's weird that it worked that way. However, the issue is not as bad as the video claims it to be, a user will be warned.

[+] chickenwidd|1 year ago|reply
Anyone have any info on this, how serious it is etc? Very vague post.
[+] rvnx|1 year ago|reply
Seems like a revive of: https://github.com/desktop-app/lib_webview/commit/77b1712a8f... (2022)

where you could open an app by running window.open("C:\Windows\system32\cmd.exe")

This is a guess based on the behavior in the video, and on the recent fix on Media Preview feature of "Instant View" attachments: https://github.com/telegramdesktop/tdesktop/commit/eaaa704fa... (3 days ago)

so potentially could be just to send an Instant View link pointing to an executable app instead of a website.

[+] wepple|1 year ago|reply
If you’re using a fully-fledged OS for your secure comms (and using telegram off of a mobile device to start with), this probably isn’t your biggest threat.

Disabling of automatic media parsing as suggested is absolutely a wise choice.

This would be pretty bad indeed if it were wormable.

[+] bananapub|1 year ago|reply
this does seem to be nonsense, but people do really need to consider Telegram to be highly untrustworthy and not providing any privacy guarantees at all.

for some reason, lots of people consider it to be a similar sort of thing to Signal, but it's not - Signal takes privacy and security extremely seriously, Telegram ... does not.