Telegram recently managed a critical security issue in its Windows desktop application, which was discovered to potentially allow the execution of Python scripts without triggering the necessary security warnings. This vulnerability required user interaction, debunking initial rumors of a zero-click flaw, and was swiftly addressed by Telegram’s development team.
Discovery and Misinformation
The vulnerability emerged in public discourse through discussions on social media platform X and various hacking forums. Initial reports inaccurately described the issue as a zero-click vulnerability that could allow attackers to remotely execute malicious code without any user interaction. However, Telegram quickly refuted these claims, clarifying that the vulnerability necessitated user interaction—specifically, clicking on maliciously crafted files.
Proof of Concept and Exploit Details
Further investigation into the issue revealed more concerning details. A user on the XSS hacking forum shared a proof of concept that demonstrated the vulnerability stemmed from a simple typographical error in Telegram’s code. The source code mistakenly listed the file extension ‘.pywz’ instead of ‘.pyzw’, which is associated with Python zipapps—self-contained Python applications. This typo meant that when files with a .pyzw extension were clicked, they bypassed Telegram’s security checks and were automatically executed if Python was installed on the recipient’s computer.
Exploiters took advantage of this oversight by disguising these Python scripts as harmless-looking video files, complete with convincing thumbnails. This deceit effectively tricked users into clicking and executing the scripts, believing they were merely opening a video.
Telegram’s Response
Upon recognizing the severity of this security lapse, Telegram implemented an immediate server-side fix. Instead of waiting for a client update, they altered the handling of .pyzw files by appending the ‘.untrusted’ extension. This change prompts users to manually select how to open these files, preventing automatic execution and giving users a crucial layer of security.
In a detailed statement, Telegram confirmed the typo and acknowledged the potential for exploitation, although they noted that the impact was likely minimal. They estimated that less than 0.01% of users had the Python interpreter installed in a manner that would be vulnerable to this exploit. Despite the low risk to the broader user base, Telegram treated the issue with high urgency, demonstrating their commitment to user safety.
Long-Term Solutions and User Safety Recommendations
While Telegram has corrected the immediate issue, they also plan to update future versions of the Windows client to enhance overall security. This will likely include more robust handling of file extensions considered risky and possibly integrating additional checks to prevent similar oversights.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –