Telegram debunks reported vulnerability in desktop app, confirms mobile security
The alleged vulnerability
Blockchain security firm CertiK said on April 9 that Telegram’s desktop application has a potential high-risk Remote Code Execution (RCE) vulnerability. The firm stated:
“Possible RCE detected in Telegram’s media processing in the Telegram Desktop application. This issue exposes users to malicious attacks through specially crafted media files, such as images or videos.”
According to CertiK, this vulnerability could allow malicious actors to send RCE to users, potentially exposing them to attacks via specially crafted media files.
The security firm clarified that the vulnerability is confined to desktop apps, which can execute programs contained within files. Mobile applications remain unaffected, as they do not execute programs.
CertiK advised users to deactivate the auto-download feature on the desktop application for security purposes. Users can adjust their media download settings to manual downloads in the app’s settings.
Telegram’s response
In an April 9 post on X (formerly Twitter), Telegram stated that the trending videos were likely a hoax as there was no such vulnerability on its platform.
Nevertheless, the platform urged users to report any threat or potential vulnerabilities in its applications via its bug bounty program.
Meanwhile, a CertiK spokesperson told CryptoSlate that the firm was not in touch with Telegram and that news of the vulnerability had come from the security community. It added that the mobile version of the messaging application was secure from this vulnerability because it “does not directly execute executable programs like desktops, which generally require signatures.”
CertiK further stated that its social media post about the vulnerability intended to raise awareness of the potential issue and remind users of best practices.
