Telegram stickers made secret chats vulnerable
A bug, now fixed, of animated stickers would have allowed them to sneak into chats protected by end-to-end encryption and access photos, videos and messages
(Photo Illustration by Thomas Trutschel / Photothek via Getty Images ) A bug in the Telegram application could have allowed attackers to access messages, photos and videos exchanged via secret chats.The flaw in the instant messaging app was reported by Shielder's cybersecurity experts who identified the flaw in the versions of Telegram for iOs, Android and MacOs. According to experts, simply sending an animated sticker to a Telegram user could have exposed everything that happened in the secret chats which, on the application, are the only ones that are truly end-to-end encrypted.🎉 Our big 2020 research is finally public 🎉
Discover how @polict_ went from close-to-0 knowledge in fuzzing to crafting 13 0-days in @Telegram! https://t.co/sXZ5MM8BYw
- Shielder (@ShielderSec) February 16, 2021
Animated stickers were introduced on Telegram in 2019 and it's just from this functionality of the application from which the investigations of the experts started. By analyzing how the application saved stickers to the device, Shielder found that they affected the functionality of the secret chat to such an extent that an attacker could exploit the flaw to gain access to messages, photos and videos contained in it simply by sending a message. sticker in that chat.
Starting from the rlottie folder, used by Telegram to reproduce the animations of its stickers, Shielder has identified 13 vulnerabilities. This folder turned out to be a Samsung native library and used to play Lottie animations created by Airbnb. Recycling Telegram would have increased the chances of attack.
Using the fuzzing technique, which consists of sending random data in order to cause a crash, Shielder discovered that it was possible to access the content of secret chats thanks to a simple animated sticker that broke the encryption end -to-end.
After the report, Telegram solved the problem by managing not to interrupt the encryption of the chats. Now any animated sticker received in a secret chat will be analyzed and delivered only if it is part of a set of stickers approved by the platform and therefore not harmful.