EDIT: this was a bit misleading, see: https://mstdn.io/@wolf480pl/116318471815623940

Looks like there's a bit more info on the zero-click Telegram RCE and holy shit this looks bad:

> This vulnerability allows an attacker to execute arbitrary code on a victim's device simply by sending a specially crafted animated sticker or media file. No user interaction is required
> A Telegram spokesperson denied the vulnerability's existence, claiming the research was incorrect.

https://github.com/gameworkerkim/Telegram-0-Click-RCE-SECURITY-VULNERABILITY-ANALYSIS-REPORT/blob/main/Telegram%200-Click%20RCE_ENG.md

#telegram #security

@wolf480pl This report looks pure AI slop, but @thezdi does have a matching candidate listed (meaning ZDI accepted the submission as a valid vuln):

https://www.zerodayinitiative.com/advisories/upcoming/

Since that vuln was reported just 4 days ago my educated guess is that 1) the reporter wasn't dumb to trash their ZDI bounty by posting details online 2) someone saw the candidate and generated a slop report about it without any technical ground.

Edit: the reporter also works for ZDI, so I highly doubt they started a darkweb sell...

@buherator it's possible, but it does link to the italian govt cybersecurity agency, which is something I didn't know from the initial ZDI candidate.

https://www.acn.gov.it/portale/w/telegram-rilevata-presunta-vulnerabilita-0-click

@wolf480pl Gov data can easily come from fake darkweb listings (sold as "threat intelligence"), aka. beware of circular references

Looks like it poorly (possibly with AI) aggregates information from other places and I panicked / got fooled by my confirmation bias

Sorry

Eg. if you look at the Italian govt website
https://www.acn.gov.it/portale/w/telegram-rilevata-presunta-vulnerabilita-0-click

the "Telegram's response" part seems to say that Telegram claims to validate the stickers on its servers before sending them to any client apps

Which the article didn't mention.

But also I don't know Italian and used machine translation so I don't know for sure if that's what it says :/

@wolf480pl lol

@wolf480pl though that report feels like an llm slop?

@poni fuck, I got high on confirmation bias. It totally does look like slop.

Sorry for spreading it.

@wolf480pl

From my translation: "The vendor states that each sticker loaded on the platform undergoes a mandatory validation procedure on its servers before being deployed to client applications. According to this official location, the centralized filtering process prevents the use of corrupt stickers as an attack vector, making it technically impossible to execute malicious code via that method."

Just a gentle reminder, by their own admission, that everything you say or send on Telegram goes trough their servers in plain text.

This means that anyone with (bought or enforced) access to Telegram servers can read anything you say or send to anyone.

@avuko
AFAIU that validation is when uploading a new sticker, not when using an already-defined one.

> everything you say or send on Telegram goes trough their servers in plain text

where did they say that?

Also AFAIK they only ever claimed that the special "secret chat" mode that nobody uses is end-to-end encrypted, the regular chats were never claimed to be end-to-end encrypted, so obviously the server had access to it...

But that's neither news nor RCE.

@avuko what I'm more concnerned about is anyone with (bought or enforced) access to Telegram servers bypassing the sticker verification and using the alleged RCE...

@wolf480pl that is certainly an option.

Although, if you already have access to the servers to bypass validation etc., I'm sure there would be easier ways to compromise Telegram endpoints.

Or did this presumed RCE include privesc/sandbox escape?

@avuko
Sandbox escape on Android is one possibility, but the RCE also affects native Telegram client for desktop Linux, which isn't always sandboxed.

Plus, if someone was using the special e2e encrypted chats, and if there weren't already vulns in that protocol that the server could exploit, compromising the client would give the attacker access to those.

@avuko
oh, also you could use an RCE in a sandboxed app still lets you make outbound network connections in whatever network the victim has access to, right?