Imagine accessing a file only on Telegram, which, when clicked, becomes a full-fledged tool to secretly execute code in your computer. These were real scenarios, for example, we had an issue with Windows users where a security hole in Telegram’s desktop client was fixed.
The culprit? A simple typo. The source code of the software may be mistaken by the targeter for a dangerous command that sends “.pyzw” files. These files, which were designed as a safe way to run Python programs, got around Telegram’s security warnings and showed a “mute”-like icon instead of the “dangerous” icon they were. Whenever they are clicked, they forcefully run executable files containing malicious code.
Fortunately, Telegram acted quickly. They caught the problem (a typo that inadvertently denoted “.pywz” instead of “.pyzw” as a dangerous file type) by accident. Through the server side, they ensure that new and old versions of Windows are fine because they are all protected.
It’s a lesson that shows how important software improvement and the diligence of developers are. Something as small as a typing mistake can end up having costly consequences. Instant messaging platform Telegram revealed its advantage over the competition by ensuring its security with the release of a fix.
“Rumors about the existence of zero-click vulnerabilities in Telegram Desktop are inaccurate. Some “experts” recommended to “disable automatic downloads” on Telegram — there were no issues which could have been triggered by automatic downloads.
However, on Telegram Desktop, there was an issue that required the user to CLICK on a malicious file while having the Python interpreter installed on their computer. Contrary to earlier reports, this was not a zero-click vulnerability and it could affect only a tiny fraction of our user base: less than 0.01% of our users have Python installed and use the relevant version of Telegram for Desktop.
A server-side fix has been applied to ensure that even this issue no longer reproduces, so all versions of Telegram Desktop (including all older ones) no longer have this issue.”
❖ Telegram
