Even the source article says just "zero-day".
Also, tldr: Using Unicode Right-To-Left, you can make Telegram show file name "gpj.js" as "sj.jpg". That's all.
The aricle says it was discovered in October 2017, and that they "informed the Telegram developers of the problem, and the vulnerability no longer occurs in Telegram’s products".
It's a knotty problem. Also exploits in software bad.
1. This is not a vulnerability with Telegram. The headline is deliberate clickbait, and the article’s Telegram-centric presentation doesn’t redeem it.
2. This is not a remote code exeution vulnerability, or even a “0-day” (for whatever meaning that term still has...). This vulnerability is a malicious file upload combined with a clever phishing vector.
The reporting is exceptionally bad - so much so that it is difficult for me to attribute it to simple ignorance. It is very clearly trying to hit several checkboxes for what is otherwise a non-story:
The entire narrative is carefully constructed with keywords that have no hard relation to the vulnerability whatsoever - it feels like I’m reading a bug bounty report where someone extrapolates a minor endpoint security or phishing vulnerability to whatever they think will get the most attention to the report.
Reporting like this almost makes me wish for Gell-Mann Amnesia in my own field.
I've actually presented user interaction vulnerabilities to development teams in an interactive environment where I describe the vulnerability. I show them where it's at, I show them the dialogs they must be cautious about and even with all of this education they still fall for my attack running on their network. As an industry we've got to stop discounting vulnerabilities as not serious because they require user interaction which involves clicking through security warnings.
Maybe give it an actual name. Something like Vibkac: Vulnerability is between keyboard and chair.
This is just not an RCE. It's just pretty good phishing.