Telegram Remote Code Execution Zero-Day Vulnerability (opens in new tab)

(securelist.com)

43 pointsgeektips8y ago16 comments

16 comments

Calling it "remote code execution" is veeeery clickbait-y. By this logic, any website with download links uses "remote code execution".

Even the source article says just "zero-day".

Also, tldr: Using Unicode Right-To-Left, you can make Telegram show file name "gpj.js" as "sj.jpg". That's all.

kbart8y ago

Yeah, I was disappointed as well. This "zero day remote code execution" actually is not much more than good, old "important_document.pdf.exe" just slightly more obscure.

Tenobrus8y ago

The "exploit" doesn't even have anything to do with Telegram specifically (except presumably that there's some known real world use on that platform). I'm surprised at this kind of article coming from Kaspersky.

jwilk8y ago

But it's not "zero-day" either.

The aricle says it was discovered in October 2017, and that they "informed the Telegram developers of the problem, and the vulnerability no longer occurs in Telegram’s products".

escapologybb8y ago

This is mildly off topic but regarding clickbait titles, does anyone have any good idea how we can stop them? Because everybody hates them, but everybody clicks on them. Seriously, I hate the way BBC News has turned into a clickbait nightmare; but I still clicked on the "my husband turned into an otter, then became a security professional" link, or whatever it was.

It's a knotty problem. Also exploits in software bad.

thinkMOAR8y ago

and it seems to be limited to windows only, imho not a detail to leave out

dsacco8y ago

This article is atrocious. It has a clear agenda motivating its publication that is simply at odds with facts.

1. This is not a vulnerability with Telegram. The headline is deliberate clickbait, and the article’s Telegram-centric presentation doesn’t redeem it.

2. This is not a remote code exeution vulnerability, or even a “0-day” (for whatever meaning that term still has...). This vulnerability is a malicious file upload combined with a clever phishing vector.

The reporting is exceptionally bad - so much so that it is difficult for me to attribute it to simple ignorance. It is very clearly trying to hit several checkboxes for what is otherwise a non-story:

* Telegram

* Cybercrime

* Cryptocurrencies/Mining

The entire narrative is carefully constructed with keywords that have no hard relation to the vulnerability whatsoever - it feels like I’m reading a bug bounty report where someone extrapolates a minor endpoint security or phishing vulnerability to whatever they think will get the most attention to the report.

Reporting like this almost makes me wish for Gell-Mann Amnesia in my own field.

ptico8y ago

"Hello! I'm russian remote code execution vulnerability, please run me and ignore system security warning. Also, you may want to delete your Documents and Settings folder, just press Del button and then Continue"

patcheudor8y ago

As a security researcher who tends to focus a bit on user interaction and phishing vectors you are 100% correct, but also representing part of the problem. Too often we discount vulnerabilities which users have to click-through to execute. Unfortunately users do ignore system security warnings. Unfortunately when given a dialog where they can choose security over doing their job, they'll do their job.

I've actually presented user interaction vulnerabilities to development teams in an interactive environment where I describe the vulnerability. I show them where it's at, I show them the dialogs they must be cautious about and even with all of this education they still fall for my attack running on their network. As an industry we've got to stop discounting vulnerabilities as not serious because they require user interaction which involves clicking through security warnings.

my_ghola8y ago

> As an industry we've got to stop discounting vulnerabilities as not serious because they require user interaction which involves clicking through security warnings.

Maybe give it an actual name. Something like Vibkac: Vulnerability is between keyboard and chair.

ptico8y ago

I agree, but this is not an RCE

heavenlyblue8y ago

What if I looked through an open window in my apartment and saw someone waving this in front of me? Certainly something needs to be done here as well.

ejcx8y ago

This should be renamed to "Telegram right to left vulnerability"

This is just not an RCE. It's just pretty good phishing.

syx8y ago

I didn't quite understand the "Remote control" scenario; is the victim becoming a telegram bot, where the attacker sends commands to the bot and the bot executes stuff on the victim system?

jnmandal8y ago

I think its basically that the malware uses telegram bot API as a CGI. Probably not a smart attack and sounds like something someone naive but familiar with writing messenger bots might try.

badwebsite8y ago

Mods need to change the title -- this is deliberately dishonest reporting as it stands.

j / k navigate · click thread line to collapse

16 comments

wizzard08y ago

Calling it "remote code execution" is veeeery clickbait-y. By this logic, any website with download links uses "remote code execution".

Even the source article says just "zero-day".

Also, tldr: Using Unicode Right-To-Left, you can make Telegram show file name "gpj.js" as "sj.jpg". That's all.

kbart8y ago

Yeah, I was disappointed as well. This "zero day remote code execution" actually is not much more than good, old "important_document.pdf.exe" just slightly more obscure.

Tenobrus8y ago

jwilk8y ago

But it's not "zero-day" either.

The aricle says it was discovered in October 2017, and that they "informed the Telegram developers of the problem, and the vulnerability no longer occurs in Telegram’s products".

escapologybb8y ago

It's a knotty problem. Also exploits in software bad.

thinkMOAR8y ago

and it seems to be limited to windows only, imho not a detail to leave out

dsacco8y ago

This article is atrocious. It has a clear agenda motivating its publication that is simply at odds with facts.

1. This is not a vulnerability with Telegram. The headline is deliberate clickbait, and the article’s Telegram-centric presentation doesn’t redeem it.

* Telegram

* Cybercrime

* Cryptocurrencies/Mining

Reporting like this almost makes me wish for Gell-Mann Amnesia in my own field.

ptico8y ago

patcheudor8y ago

my_ghola8y ago

> As an industry we've got to stop discounting vulnerabilities as not serious because they require user interaction which involves clicking through security warnings.

Maybe give it an actual name. Something like Vibkac: Vulnerability is between keyboard and chair.

ptico8y ago

I agree, but this is not an RCE

heavenlyblue8y ago

What if I looked through an open window in my apartment and saw someone waving this in front of me? Certainly something needs to be done here as well.

ejcx8y ago

This should be renamed to "Telegram right to left vulnerability"

This is just not an RCE. It's just pretty good phishing.

syx8y ago

I didn't quite understand the "Remote control" scenario; is the victim becoming a telegram bot, where the attacker sends commands to the bot and the bot executes stuff on the victim system?

jnmandal8y ago

I think its basically that the malware uses telegram bot API as a CGI. Probably not a smart attack and sounds like something someone naive but familiar with writing messenger bots might try.

badwebsite8y ago

Mods need to change the title -- this is deliberately dishonest reporting as it stands.

j / k navigate · click thread line to collapse