Telegram Vulnerability Allows Access to Private Chats

A security researcher known as w9w on “Habrahabr” has discovered several serious vulnerabilities in the Telegram messenger. According to the researcher, the supposedly secure messenger is not as protected as many believe. For example, scammers can use t.me links to lure users to phishing sites, the confidentiality of private chats is questionable, and posts on the Telegraph service can be edited by unauthorized individuals.

Issues with Confidential Content Indexing

The researcher noted, “There are clear problems with preventing the indexing of confidential content on t.me.” Telegram bot codes appear in search engine results because there are no proper restrictions in the robots file. An attacker can exploit this to obtain user data. In addition to email addresses, which are public information, a hacker could also gain access to private chats and channels.

Open Redirect Vulnerability

The second vulnerability discovered is an Open Redirect. “This vulnerability allows a direct redirect from t.me to any phishing site, the download of a trojan, malicious JavaScript (such as a JS miner or the latest 0-day exploit for Intel processors), and more,” the researcher writes. Using this, an attacker can edit someone else’s article on Telegraph with just the page_id number.

Cross-Site Request Forgery (CSRF)

The third vulnerability is cross-site request forgery (CSRF). The token is found in the source code of the article; for example, the article telegra.ph/Durov-01-22 has the ID 7f0d501375c9e2acbd1ef.

Telegram’s Response and Rewards

The researcher reported these findings to Telegram’s developers as part of their bug bounty program. He received €50 for the first vulnerability, €100 for the Open Redirect, and €1,400 for the CSRF vulnerability in Telegraph.