Wolf480pl
wolf480pl@mstdn.io
Looks like there's a bit more info on the zero-click Telegram RCE and holy shit this looks bad:
> This vulnerability allows an attacker to execute arbitrary code on a victim's device simply by sending a specially crafted animated sticker or media file. No user interaction is required
> A Telegram spokesperson denied the vulnerability's existence, claiming the research was incorrect.
3
0
0
https://www.zerodayinitiative.com/advisories/upcoming/
Since that vuln was reported just 4 days ago my educated guess is that 1) the reporter wasn't dumb to trash their ZDI bounty by posting details online 2) someone saw the candidate and generated a slop report about it without any technical ground.
Edit: the reporter also works for ZDI, so I highly doubt they started a darkweb sell...
1
0
1
Wolf480pl
wolf480pl@mstdn.io@buherator it's possible, but it does link to the italian govt cybersecurity agency, which is something I didn't know from the initial ZDI candidate.
https://www.acn.gov.it/portale/w/telegram-rilevata-presunta-vulnerabilita-0-click
1
0
0
buherator
buherator
0
0
1
Wolf480pl
wolf480pl@mstdn.ioLooks like it poorly (possibly with AI) aggregates information from other places and I panicked / got fooled by my confirmation bias
Sorry
Eg. if you look at the Italian govt website
https://www.acn.gov.it/portale/w/telegram-rilevata-presunta-vulnerabilita-0-click
the "Telegram's response" part seems to say that Telegram claims to validate the stickers on its servers before sending them to any client apps
Which the article didn't mention.
But also I don't know Italian and used machine translation so I don't know for sure if that's what it says :/
0
0
0
Wolf480pl
wolf480pl@mstdn.io@poni fuck, I got high on confirmation bias. It totally does look like slop.
Sorry for spreading it.
0
0
0