Telegram Vulnerability Lets Attackers Track Bot Messages

By Ava McKinneyOnline Safety

Telegram Vulnerability Allows Tracking of Bot Messages

Security researchers have discovered a vulnerability in the Telegram Bot API that allows attackers to intercept traffic between malware and its operator. The vulnerability was identified by Forcepoint security researchers while analyzing the activity of the GoodSender malware.

GoodSender is a simple .NET-based malware that uses the Telegram network to send information collected from compromised hosts to its operators, enabling them to remotely access infected systems. During their analysis, Forcepoint researchers found that the Telegram Bot API uses weak protection mechanisms for transmitted messages. While messages between regular users are encrypted using Telegram’s MTProto algorithm within TLS traffic, messages sent via the Bot API are only protected by HTTPS.

According to the researchers, the API tokens and chat IDs used by bots are enough to carry out a man-in-the-middle attack. API tokens are present in programs that use the Telegram Bot API and in messages, while chat IDs are included in requests sent via the Bot API.

“Even worse, any attacker who can obtain a small amount of key information transmitted in each message can not only monitor forwarded messages but also reconstruct the entire message history of the targeted bot,” the researchers explained.

The entire message history can be retrieved using the forwardMessage() method, which allows any user to forward messages accessible to the bot. Message IDs are sequential, starting from zero, making it possible to identify all messages in a group and forward them to any user.

Thanks to this vulnerability, the researchers were able to redirect all GoodSender communications to their own Telegram profile and study its behavior. They discovered that the malware’s author did not separate the development and testing environments from the operational environment, allowing the researchers to track GoodSender’s activity from its earliest stages.

The researchers are unsure about the exact method GoodSender uses to spread, but they note that the malware leverages a free scanner to identify the EternalBlue vulnerability. According to telemetry data, GoodSender is currently present on at least 120 infected systems, most of which are located in the United States and Vietnam.

Leave a Reply