Telegram recently patched a zero-day vulnerability exposing Windows users to malicious Python script attacks. Criminals could use the vulnerability to bypass the Telegram Windows client’s security warnings and launch Python scripts automatically on the target’s machine.
As BleepingComputer reported recently, recent rumors on hacking forums and X describe an “alleged remote code execution” vulnerability affecting Telegram’s Windows client.
Although the shortcoming was described as a zero-click flaw, fortunately, the vulnerability required user interaction to propagate on targeted systems, as shown in a video demo on social media.
Telegram was quick to dismiss the rumors, stating that it “can’t confirm that such a vulnerability exists” and that the “video is likely a hoax.”
However, shortly after, an XSS hacking forum user shared a proof-of-concept (POC) exploit, explaining that the vulnerability depicted in the video was caused by a typo in Telegram for Windows’ source code. According to the POC, the flaw could be exploited to send .pyzw
Python scripts; when clicked, the files would bypass the client’s security warnings.
Telegram has built-in security mechanisms that prevent the execution of certain file types without warning. After receiving one of these potentially risky files, users are prompted with a security warning if they try to open them straight from the client (i.e., by clicking them).
The message warns users of the file’s extension, saying the document may harm their computer and asking for confirmation to launch or open it. Unfortunately, unrecognized file types fail to trigger this warning; the client launches them automatically, letting Windows decide which program to use.
The vulnerability only works on machines where Python for Windows is installed. Once the user clicks the .pyzw
script, Python automatically executes it.
Although Telegram correctly recognized the .pyzw
format as potentially harmful and added it to the list of “risky” executable file extensions, a typo threw a wrench in the security mechanism. The source code included .pywz
as a potentially harmful extension, leading to files carrying the correct .pyzw
extension being able to bypass the security warnings.
In other words, threat actors who would send maliciously crafted .pyzw
Python scripts to unsuspecting Telegram for Windows users could have executed arbitrary code remotely on their machines. Granted, this could only happen if the victim actually opened the rogue document.
To make matters worse, researchers found a way to obfuscate the attack further, masquerading the malicious script as a shared video, along with a thumbnail. This cunning strategy could easily trick users into interacting with the rogue Python script, unwittingly launching it on their computers.
Telegram was made aware of the vulnerability on April 10, and they patched it by correcting the mistyped extension spelling in the Windows client’s source code.
However, the fix doesn’t yet show the warning for the other harmful extensions; instead, it asks you which program to use to open the script instead of automatically launching it in Python.
Although Telegram addressed the issue by rolling out a server-side fix, malicious Python scripts in instant messaging clients are only one of the online risks you’re exposed to.
Specialized security software like Bitdefender Ultimate Security can protect your devices from a broad range of intrusions, including zero-day exploits, viruses, Trojans, worms, rootkits, spyware, ransomware, and others.
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsDecember 19, 2024
November 14, 2024