On April 9, a significant security risk for Telegram users was highlighted by the blockchain security firm CertiK, revealing a vulnerability that could lead to malicious attacks via the desktop version of the messaging app.
CertiK, through an alert on X (formerly Twitter), disclosed a “high-risk vulnerability in the wild” that could allow hackers to execute remote code execution (RCE) attacks through Telegram’s media processing.
This vulnerability, found specifically in the Telegram Desktop application, makes users susceptible to attacks through specially crafted media files, like images or videos.
CertiK’s findings have stirred concerns, prompting them to advise users to modify their Telegram Desktop settings to prevent automatic media file downloads.
This precaution involves disabling the auto-download for “Photos”, “Videos”, and “Files” within the app’s settings, specifically under the “Automatic Media Download” section for all types of chats.
Despite these claims, a Telegram spokesperson denied acknowledging any such vulnerability within Telegram clients.
The revelation of this vulnerability has brought attention to the ongoing security challenges faced by Telegram, especially given its popularity in the cryptocurrency community for its features that support communication, file sharing, and cryptocurrency transactions through its Wallet service.
This service, notably, opts for a custodial approach to managing users’ assets, differing from the conventional method where users control their private keys.
This isn’t the first time Telegram has been in the spotlight for security vulnerabilities.
READ MORE: PayPal USD Stablecoin Circulation Drops 39% in March Amid Crypto Market Rally
Previous instances include a 2023 discovery by a Google engineer of a bug in the macOS version of the app that could allow unauthorized access to a device’s camera and microphone, and a 2021 incident identified by a Shielder researcher involving modified animated stickers that could compromise user data.
Telegram’s response to such vulnerabilities has been proactive, with the platform’s bug bounty program, initiated in 2014, inviting developers and security researchers to report potential security issues in exchange for financial rewards.
The program aims to address and mitigate security concerns by leveraging the expertise of the wider security community.
However, despite Telegram’s efforts to secure its platform and the skepticism around the current vulnerability’s existence, the dialogue between security experts and Telegram continues, underscoring the complex landscape of digital security and the ongoing need for vigilance.
To submit a crypto press release (PR), send an email to sales@cryptointelligence.co.uk.