
Kaspersky Says Telegram Flaw Used for Cryptocurrency Mining - jonbaer
https://www.bloomberg.com/news/articles/2018-02-13/kaspersky-says-telegram-flaw-used-for-cryptocurrency-mining
======
dsacco
Seeing this on Hacker News again, this time from _Bloomberg_ , is so mind
numbingly frustrating. I already contested this story when it first showed up
on HN 14 hours ago:
[https://news.ycombinator.com/item?id=16366754](https://news.ycombinator.com/item?id=16366754).
But time is a flat circle.

 _Sigh._

1\. This is not a vulnerability in Telegram. This is vulnerability in the way
Windows processes malicious RLO characters in downloaded files. See:
[https://cdn.securelist.com/files/2018/02/180212-telegram-
vul...](https://cdn.securelist.com/files/2018/02/180212-telegram-
vulnerability-2.png). The users must click past the security warning (unless
they have manually disabled it in system settings), download the file to their
machine, and run it.

2\. This vulnerability is a phishing vector, not a "0-day" (which these days,
is a marketing term). It allows you to send a user a file to compromise their
machine, _not_ the Telegram desktop application. Telegram is therefore the
channel which can be used to execute a phishing attack. An email client would
_also_ be a channel.

Kaspersky is trying to get eyeballs by checking off a bunch of boxes in the
tech zeitgeist: Telegram, controversy over Telegram's security, _cyber_ crime,
cryptocurrencies and mining. They've baked a narrative that is specifically
designed to market Kaspersky's services to its readers by dropping a bunch of
keywords - the scenarios presented are so far removed from the standalone
technicalities of the vulnerability that it's no longer even honest.

Exploitive security marketing and the uninformed journalism that follows it
around is going to give me an ulcer.

~~~
tyingq
_" Attackers used a hidden Unicode character in the file name that reversed
the order of the characters, thus renaming the file itself. As a result, users
downloaded hidden malware which was then installed on their computers"_

Feels like Telegram should be on the hook for protecting against this. It does
work with email too, and not really Telegram's fault. Nonetheless, the
expectation for them to deal with it seems reasonable to me.

------
saagarjha
I found the article a bit light on details, so I checked the linked report at
[https://www.kaspersky.com/about/press-
releases/2018_hackers-...](https://www.kaspersky.com/about/press-
releases/2018_hackers-exploited-telegram-messenger-zero-day-vulnerability)

> Attackers used a hidden Unicode character in the file name that reversed the
> order of the characters, thus renaming the file itself. As a result, users
> downloaded hidden malware which was then installed on their computers.

> Secondly, upon successful exploitation of the vulnerability, a backdoor that
> used the Telegram API as a command and control protocol was installed,
> resulting in the hackers gaining remote access to the victim’s computer.

------
kjullien
"While analyzing the servers of malicious actors, Kaspersky researchers also
found archives containing a cache of Telegram data that had been stolen from
victims." more worried about that than the rest.

