Researchers at cyber security firm Shielder discovered a critical flaw affecting iOS, Android, and macOS versions of the instant messaging app Telegram.
The experts discovered that sending a sticker to a Telegram user could have exposed his secret chats, photos, and videos to remote attackers.
In 2019, Telegram had introduced in animated stickers, this was the starting point for the investigation of the experts. The “rlottie” folder caught their attention, it was the folder used for the Samsung native library for playing Lottie animations, originally created by Airbnb.
The experts discovered multiple flaws affecting the way secret chat functionality is implemented and Telegram was handling animated stickers, An attacker could have exploited the flaw by sending malformed stickers to unsuspecting users and gain access to messages, photos, and videos that were exchanged through both classic and secret chats.
“What follows is my journey in researching the lottie animation format, its integration in mobile apps and the vulnerabilities triggerable by a remote attacker against any Telegram user. The research started in January 2020 and lasted until the end of August, with many pauses in between to focus on other projects.” reads the analysis published by Shielder experts.
“During my research I have identified 13 vulnerabilities in total: 1 heap out-of-bounds write, 1 stack out-of-bounds write, 1 stack out-of-bounds read, 2 heap out-of-bound read, 1 integer overflow leading to heap out-of-bounds read, 2 type confusions, 5 denial-of-service (null-ptr dereferences).”
The experts used a fuzzy approach to test the Samsung’s C++ library rlottie to parse Lottie animations and triaging the crashes. This library was used by Telegram developers instead of the Airbnb’s one.
“It’s important to note here also that Telegram developers chose to fork the rlottie project and maintain multiple forks of it, which makes security patching especially hard.” continues the report. “This will turn out to be an additional problem since the Samsung’s rlottie developers do not track security issues caused by untrusted animations in their project because they are not “the intended use case for rlottie” (quote from https://gitter.im/rLottie-dev/community ).”
Once launched the AFL-fuzz, experts observed multiple crashes some of them were caused by serious issues, including heap-based out-of-bounds read/write, stack-based out-of-bounds write and high-address SEGVs.
Telegram has addressed the flaw with the release of security updates on September 30 and October 2, 2020.
Shielder decided to give 90 days before publicly disclose their findings to give users the time to update their devices.
“Today I shared with you the story of how I have found 13, some with a higher impact than others but all which were promptly fixed by Telegram for all the device families supporting secret chats: Android, iOS and macOS.” concludes the experts. “This research helped me understand once more that it’s not trivial to limit attack surfaces at scale in end-to-end encrypted contexts without losing functionalities.”
I suggest reading the step by step analysis published by Shielder.
Last week, security researcher Dhiraj Mishra reported a bug in Telegram macOS app that made it possible to access self-destructing audio and video messages long after they disappeared from secret chats.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Telegram)