
Telegram Remote Code Execution  Zero-Day Vulnerability - geektips
https://securelist.com/zero-day-vulnerability-in-telegram/83800/
======
wizzard0
Calling it "remote code execution" is veeeery clickbait-y. By this logic, any
website with download links uses "remote code execution".

Even the source article says just "zero-day".

Also, tldr: Using Unicode Right-To-Left, you can make Telegram show file name
"gpj.js" as "sj.jpg". That's all.

~~~
kbart
Yeah, I was disappointed as well. This "zero day remote code execution"
actually is not much more than good, old "important_document.pdf.exe" just
slightly more obscure.

------
dsacco
This article is atrocious. It has a clear agenda motivating its publication
that is simply at odds with facts.

1\. This is not a vulnerability with Telegram. The headline is deliberate
clickbait, and the article’s Telegram-centric presentation doesn’t redeem it.

2\. This is not a remote code exeution vulnerability, or even a “0-day” (for
whatever meaning that term still has...). This vulnerability is a malicious
file upload combined with a clever phishing vector.

The reporting is _exceptionally_ bad - so much so that it is difficult for me
to attribute it to simple ignorance. It is very clearly trying to hit several
checkboxes for what is otherwise a non-story:

* Telegram

* Cybercrime

* Cryptocurrencies/Mining

The entire narrative is carefully constructed with keywords that have no hard
relation to the vulnerability _whatsoever_ \- it feels like I’m reading a bug
bounty report where someone extrapolates a minor endpoint security or phishing
vulnerability to whatever they think will get the most attention to the
report.

Reporting like this almost makes me wish for Gell-Mann Amnesia in my own
field.

------
ptico
"Hello! I'm russian remote code execution vulnerability, please run me and
ignore system security warning. Also, you may want to delete your Documents
and Settings folder, just press Del button and then Continue"

~~~
patcheudor
As a security researcher who tends to focus a bit on user interaction and
phishing vectors you are 100% correct, but also representing part of the
problem. Too often we discount vulnerabilities which users have to click-
through to execute. Unfortunately users do ignore system security warnings.
Unfortunately when given a dialog where they can choose security over doing
their job, they'll do their job.

I've actually presented user interaction vulnerabilities to development teams
in an interactive environment where I describe the vulnerability. I show them
where it's at, I show them the dialogs they must be cautious about and even
with all of this education they still fall for my attack running on their
network. As an industry we've got to stop discounting vulnerabilities as not
serious because they require user interaction which involves clicking through
security warnings.

~~~
my_ghola
> As an industry we've got to stop discounting vulnerabilities as not serious
> because they require user interaction which involves clicking through
> security warnings.

Maybe give it an actual name. Something like Vibkac: Vulnerability is between
keyboard and chair.

------
ejcx
This should be renamed to "Telegram right to left vulnerability"

This is just not an RCE. It's just pretty good phishing.

------
syx
I didn't quite understand the "Remote control" scenario; is the victim
becoming a telegram bot, where the attacker sends commands to the bot and the
bot executes stuff on the victim system?

~~~
jnmandal
I think its basically that the malware uses telegram bot API as a CGI.
Probably not a smart attack and sounds like something someone naive but
familiar with writing messenger bots might try.

------
badwebsite
Mods need to change the title -- this is deliberately dishonest reporting as
it stands.

