The blockchain security firm CertiK claims it has uncovered a major vulnerability on Telegram messenger that could expose users to malicious attacks, but Telegram itself is calling the threat a hoax.
CertiK Alert took to the social media platform X on April 9 to warn the public against a “high-risk vulnerability in the wild,” potentially allowing hackers to deploy a remote code execution (RCE) attack through Telegram’s media processing.
According to the post, CertiK’s team had discovered a “possible RCE” attack in Telegram’s media processing on Telegram Desktop application.
“This issue exposes users to malicious attacks through specially crafted media files, such as images or videos,” CertiK wrote.
A spokesperson for CertiK told Cointelegraph that the vulnerability is exclusive to the desktop Telegram application because mobile "does not directly execute executable programs like desktops, which generally require signatures." The representative noted that the news on the issue came from the security community.
To avoid the vulnerability, CertiK says users should check their Telegram Desktop configuration and disable the auto-download feature. The feature can be disabled by going to “Settings” and then tapping on “Advanced.”
“Under the ‘Automatic Media Download’ section, disable auto-download for ‘Photos’, ‘Videos’, and ‘Files’ across all chat types (Private chats, groups, and channels),” CertiK noted.
Despite the warning from CertiK, a spokesperson for Telegram has told Cointelegraph that the company “can't confirm the existence of such a vulnerability in Telegram clients,” and on April 9 labeled the threat as most likely a hoax.
Telegram is a major cryptocurrency-friendly messenger that allows users to communicate and exchange files and transact cryptocurrencies like Bitcoin and Toncoin (TON) using its custodial wallet solution called, simply, Wallet.
The “custodial” part means the Wallet doesn’t give users the private key by default. Instead, it puts the assets in its own custody to help industry newcomers avoid self-custody responsibilities.
While Telegram itself states there is no danger posed by auto-downloading media files, crypto enthusiast and grey hat SEO Yannick Eckl told Cointelegraph that the issue is not new. “It is a known issue in many, but obviously not all, IT-security circles.”
Related: Telegram channels eligible for 50% ad revenue, but there’s a catch
In 2023, Google engineer Dan Reva found a significant bug that could allow attackers to activate the camera and microphone on laptops running macOS.
In 2021, a security researcher from Shielder discovered a similar media-related issue on Telegram, which reportedly allowed attackers to send modified animated stickers, which could have exposed the victims’ data.
Telegram has been actively addressing potential vulnerabilities on its app, though. Telegram’s bug bounty program has been active since 2014, offering developers and the security research community the opportunity to submit their reports and be eligible for bounties ranging from $100 to $100,000 or more, depending on the severity of the issue.
Magazine: 1 in 6 new Base meme coins are scams, 91% have vulnerabilities
