Telegram had some major security vulnerabilities

(Image credit: Shutterstock)
Audio player loading…

Messaging app Telegram (opens in new tab) was beset with vulnerabilities last year after one security researcher discovered 13 in the course of a single investigation. Writing for IT security firm Shielder, an individual known as “polict (opens in new tab)” also confirmed that all the security bugs have been responsibly reported to Telegram and subsequently fixed.

The Telegram vulnerabilities were initially discovered after investigating the source code for new animated stickers that the secure messaging app (opens in new tab) launched in 2019. The flaws allowed attackers to send malicious stickers to victims in order to gain access to private messages (opens in new tab), photos (opens in new tab), and videos (opens in new tab). Although the exploit was far from straightforward, there’s no guarantee that this would have discouraged sophisticated threat actors.

The 13 vulnerabilities included one heap out-of-bounds write, one stack out-of-bounds write, one stack out-of-bounds read, two heap out-of-bound read, one integer overflow leading to heap out-of-bounds read, two type confusions, and five denial-of-service flaws.

All patched up

“Before starting this research in 2019 I would have been pretty skeptical if you had asked me whether the following year I’d find a single memory corruption in Telegram,” polict wrote (opens in new tab). “Today I shared with you the story of how I have found 13, some with a higher impact than others but all which were promptly fixed by Telegram for all the device families supporting secret chats: Android, iOS, and macOS. This research helped me understand once more that it’s not trivial to limit attack surfaces at scale in end-to-end encrypted contexts without losing functionalities.”

Following the discoveries, security researchers waited 90 days before informing Telegram of the security issues. They have since all been patched, following updates for the Android (opens in new tab), iOS (opens in new tab), and macOS (opens in new tab) versions released in September and October of last year. Essentially, if you have updated your Telegram app within the last four months, you will be protected.

Although Telegram acted swiftly to patch the flaws, the vulnerabilities are still somewhat embarrassing for the messaging app. Telegram prides itself on the privacy (opens in new tab) and security it can offer its users, making any security bugs particularly damaging to the app’s reputation.

Via Shielder (opens in new tab)

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.