Telegram Patches Flaw in Web Version, Vulnerability Exposed User Accounts to Hackers

A critical vulnerability within the Telegram Web application was disclosed by security researcher Pedro Batista. This flaw, found in versions up to Telegram WebK 2.0.0 (486), allowed for a severe type of attack known as Cross-Site Scripting (XSS), potentially leading to session hijacking. Just two days after the report, Telegram promptly addressed and rectified the issue, highlighting the responsiveness of their security team.

The Flaw: More Than Just a Text

The CVE-2024-33905 vulnerability, now patched, resided in Telegram’s “Mini App” system. These mini web applications, designed to run within Telegram, can be used for everything from payments to games. Batista discovered that a maliciously crafted Mini App could execute arbitrary code on the main Telegram web domain (web.telegram.org) leading to a “session hijacking” attack.

The XSS flaw was triggered through the web_app_open_link event by exploiting the postMessage function, allowing malicious Mini Apps to execute arbitrary JavaScript on web.telegram.org. This could lead to unauthorized actions such as session hijacking, where attackers gain control over the victim’s session tokens and other sensitive data.

The attack involved a few key steps:

1. An attacker would create a Telegram bot and a linked Mini App.
2. They would set the Mini App’s URL to a malicious site, for example, https://evil.com/homepage.html.
3. The malicious page would host a script designed to exploit the vulnerability upon being loaded.

The critical line of code in the Mini App could look something like this:

<body onload=exploit()>
<script>
function exploit() {
    window.parent.postMessage(JSON.stringify({eventType: 'web_app_open_link', eventData: {url: "javascript:alert(JSON.stringify(window.parent.localStorage))"}}), '*');
}
</script>
</body>

How Attackers Could Exploit It

In a session hijacking scenario, the attacker essentially impersonates the victim by stealing their active Telegram web session. This grants them full access to the account as if they were the legitimate user. From here, they could read messages, impersonate the victim, spread malware, or even access crypto wallets linked to the account.

Web3 Users at Risk

Batista’s report highlights that Telegram Mini Apps’ ability to process crypto payments through the TON Blockchain put Web3 users at particular risk. Compromised crypto wallets could spell significant financial losses for individuals.

Telegram’s Swift Response

Thankfully, Telegram responded quickly to Batista’s report. A patch was issued on March 11th, 2024, safeguarding users. The update involved a patch that remedied the specific method by which the web_app_open_link event handled URLs, ensuring that scripts could no longer hijack sessions or execute unauthorized code. However, anyone who hasn’t updated their Telegram web app since that date remains vulnerable.

How To Protect Yourself

1. Update Telegram Web: If you use Telegram’s web version, update it as soon as possible. Visit the web app and see if an update is automatically prompted. If not, you may need to clear the browser cache or force a hard refresh (Ctrl+Shift+R on Windows, Cmd+Shift+R on Mac).
2. Be Mindful of Mini Apps: While the flaw is now fixed, exercise caution when using Telegram Mini Apps, especially those from unverified developers.