A zero-day vulnerability in Telegram’s Windows desktop application was exploited due to a typo in the source code, which allowed attackers to send specially crafted Python (.pyzw) files that bypassed security warnings and automatically launched when clicked, even though Telegram typically warns users before opening other executable files.
At first, Telegram denied the existence of this vulnerability; however, a proof-of-concept exploit found that the vulnerability was indeed present.
A recently patched vulnerability in Telegram Desktop allowed attackers to launch Python scripts disguised as videos when clicked by users with Python installed, which was not a zero-click exploit as initially feared, requiring user interaction.
Telegram claims the issue impacted less than 0.01% of users due to the specific software requirements, and a server-side fix has been implemented to prevent the exploit regardless of user software, as it has been questioned how Telegram determined user-installed software, which is not mentioned in their privacy policy.
The Telegram vulnerability:
Telegram Desktop implements a security feature for known risky file extensions (like .exe) by displaying a warning before launching them, which overrides the default Windows behavior of automatically opening the file with its associated program.
For unknown extensions, Telegram defers to Windows, which can be risky if the user has software that associates the extension with a program that executes the file (e.g., a Python script with the.pyzw extension).
A vulnerability in Telegram for Windows allowed attackers to remotely execute Python code on the victim’s machines using a typo made by Telegram developers when adding the .pyzw extension (Python zipapps) to the list of blocked executables.
By masquerading the .pyzw file as a video (.mp4) using a Telegram bot, clicking on the file would trigger Python to execute the malicious code due to a mismatched file extension check, allowing attackers to bypass security warnings and gain remote code execution on unsuspecting users.
According to BleepingComputer, the data_document_resolver.cpp file, where a typo caused Python to treat pywz files as videos and launch them, contained a vulnerability that allowed the execution of arbitrary Python code disguising itself as MP4 videos in Telegram Desktop.
Telegram deployed a temporary server-side fix that adds a “.untrusted” extension to pywz files, prompting users to choose an opening program. A future client-side update is expected to provide a proper security warning instead of the “.untrusted” extension.
Never forget to check out our YouTube channel, ETHICAL EMPIRE, and keep reading our exciting blogs. Until next time, stay curious, stay secure, and keep exploring the fascinating world of cyber security. See you soon, bye!
Try Hack Me’s 1 Month Voucher Giveaway Link : https://forms.gle/xpqS2jgspyC22K5d8
