• Insufficient verification over callback_data parameter (May 2018)
  • XSS (December 2018)
  • Privacy of Profile Pictures (March 2019)
  • Sticker crash (July-December 2019)
  • Permissions issues on (December 2020)


In Italy we have pizza, pasta and people looking for bugs. Today I want to talk about some bugs we’ve found through the years in Telegram.

Insufficient verification over callback_data parameter


For this vulnerability I collaborated with Andrea and together we created a program that used an MTProto (the protocol for communicating with Telegram APIs) client to be able to send and then test requests to the Telegram APIS. …


A lot of people use git to manage their source codes, this widespread used tool helps developers to deal with their software versions (and much more…)

Unfortunately, most people use git on their website without paying attention to an important and particular folder named .git which is created in the very moment the tool is used.
The peculiarity of this folder is its odd function to keep many important files, such as source codes of the project, within.

.git on a website

Keeping in mind what has just been said, it’s not hard to figure out the importance of this folder: in fact, it…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store