The Telegram messaging app was plagued with vulnerabilities last year after a security researcher discovered 13 in a single investigation. Writing for computer security firm Shielder, someone known as the "polict" also confirmed that all security bugs were responsibly reported to Telegram and subsequently fixed. The Telegram vulnerabilities were initially discovered after investigating the source code of new animated stickers released by the secure messaging app in 2019. The flaws allowed attackers to send malicious stickers to victims to access private messages, photos, and videos. While the exploit was far from simple, there is no guarantee that it would have deterred sophisticated threat actors. The 13 vulnerabilities included one heap out of range write, one stack out of range write, one stack out of range read, two out of heap range reads, an integer overflow leading to an out of range heap . read limits, two types of confusion, and five denial-of-service failures.
All patched up
"Before starting this investigation in 2019, I would have been quite skeptical if asked if I would find a single memory corruption on Telegram the following year," Polict wrote. “Today I shared the story of how I found 13, some with bigger impact than others, but all were quickly fixed by Telegram for all families of devices that support secret chats: Android, iOS, and macOS. This research has helped me understand once again that it is not trivial to limit large-scale attack surfaces in end-to-end encrypted contexts without losing functionality. Following the findings, security researchers waited 90 days before notifying Telegram about the security issues. Since then, all have been fixed, following updates to Android, iOS, and macOS versions released in September and October of the year. Basically, if you updated your Telegram app in the last four months, you are protected. Although Telegram has moved quickly to fix the flaws, the vulnerabilities are still somewhat embarrassing for the messaging app. Telegram prides itself on the privacy and security it can offer to its users, which makes any security flaw particularly damaging to the app's reputation.