Hacker News new | comments | ask | show | jobs | submit login
[flagged] Telegram Remote Code Execution Zero-Day Vulnerability (securelist.com)
43 points by geektips on Feb 13, 2018 | hide | past | web | favorite | 16 comments

Calling it "remote code execution" is veeeery clickbait-y. By this logic, any website with download links uses "remote code execution".

Even the source article says just "zero-day".

Also, tldr: Using Unicode Right-To-Left, you can make Telegram show file name "gpj.js" as "sj.jpg". That's all.

Yeah, I was disappointed as well. This "zero day remote code execution" actually is not much more than good, old "important_document.pdf.exe" just slightly more obscure.

The "exploit" doesn't even have anything to do with Telegram specifically (except presumably that there's some known real world use on that platform). I'm surprised at this kind of article coming from Kaspersky.

But it's not "zero-day" either.

The aricle says it was discovered in October 2017, and that they "informed the Telegram developers of the problem, and the vulnerability no longer occurs in Telegram’s products".

This is mildly off topic but regarding clickbait titles, does anyone have any good idea how we can stop them? Because everybody hates them, but everybody clicks on them. Seriously, I hate the way BBC News has turned into a clickbait nightmare; but I still clicked on the "my husband turned into an otter, then became a security professional" link, or whatever it was.

It's a knotty problem. Also exploits in software bad.

and it seems to be limited to windows only, imho not a detail to leave out

This article is atrocious. It has a clear agenda motivating its publication that is simply at odds with facts.

1. This is not a vulnerability with Telegram. The headline is deliberate clickbait, and the article’s Telegram-centric presentation doesn’t redeem it.

2. This is not a remote code exeution vulnerability, or even a “0-day” (for whatever meaning that term still has...). This vulnerability is a malicious file upload combined with a clever phishing vector.

The reporting is exceptionally bad - so much so that it is difficult for me to attribute it to simple ignorance. It is very clearly trying to hit several checkboxes for what is otherwise a non-story:

* Telegram

* Cybercrime

* Cryptocurrencies/Mining

The entire narrative is carefully constructed with keywords that have no hard relation to the vulnerability whatsoever - it feels like I’m reading a bug bounty report where someone extrapolates a minor endpoint security or phishing vulnerability to whatever they think will get the most attention to the report.

Reporting like this almost makes me wish for Gell-Mann Amnesia in my own field.

"Hello! I'm russian remote code execution vulnerability, please run me and ignore system security warning. Also, you may want to delete your Documents and Settings folder, just press Del button and then Continue"

As a security researcher who tends to focus a bit on user interaction and phishing vectors you are 100% correct, but also representing part of the problem. Too often we discount vulnerabilities which users have to click-through to execute. Unfortunately users do ignore system security warnings. Unfortunately when given a dialog where they can choose security over doing their job, they'll do their job.

I've actually presented user interaction vulnerabilities to development teams in an interactive environment where I describe the vulnerability. I show them where it's at, I show them the dialogs they must be cautious about and even with all of this education they still fall for my attack running on their network. As an industry we've got to stop discounting vulnerabilities as not serious because they require user interaction which involves clicking through security warnings.

> As an industry we've got to stop discounting vulnerabilities as not serious because they require user interaction which involves clicking through security warnings.

Maybe give it an actual name. Something like Vibkac: Vulnerability is between keyboard and chair.

I agree, but this is not an RCE

What if I looked through an open window in my apartment and saw someone waving this in front of me? Certainly something needs to be done here as well.

This should be renamed to "Telegram right to left vulnerability"

This is just not an RCE. It's just pretty good phishing.

I didn't quite understand the "Remote control" scenario; is the victim becoming a telegram bot, where the attacker sends commands to the bot and the bot executes stuff on the victim system?

I think its basically that the malware uses telegram bot API as a CGI. Probably not a smart attack and sounds like something someone naive but familiar with writing messenger bots might try.

Mods need to change the title -- this is deliberately dishonest reporting as it stands.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact