Telegram debunks reported vulnerability in desktop app, confirms mobile security Telegram debunks reported vulnerability in desktop app, confirms mobile security
Web3 security firm CertiK said its social media post was to spread awareness about the issue.
1 min read
Updated: Apr. 9, 2024 at 6:18 pm UTC
Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.
The crypto-friendly messaging application Telegram has debunked claims that a vulnerability on its platform exposed its users to attacks.
The alleged vulnerability
Blockchain security firm CertiK said on April 9 that Telegram’s desktop application has a potential high-risk Remote Code Execution (RCE) vulnerability. The firm stated:
“Possible RCE detected in Telegram’s media processing in the Telegram Desktop application. This issue exposes users to malicious attacks through specially crafted media files, such as images or videos.”
According to CertiK, this vulnerability could allow malicious actors to send RCE to users, potentially exposing them to attacks via specially crafted media files.
The security firm clarified that the vulnerability is confined to desktop apps, which can execute programs contained within files. Mobile applications remain unaffected, as they do not execute programs.
CertiK advised users to deactivate the auto-download feature on the desktop application for security purposes. Users can adjust their media download settings to manual downloads in the app’s settings.
Telegram’s response
In an April 9 post on X (formerly Twitter), Telegram stated that the trending videos were likely a hoax as there was no such vulnerability on its platform.
Nevertheless, the platform urged users to report any threat or potential vulnerabilities in its applications via its bug bounty program.
Meanwhile, a CertiK spokesperson told CryptoSlate that the firm was not in touch with Telegram and that news of the vulnerability had come from the security community. It added that the mobile version of the messaging application was secure from this vulnerability because it “does not directly execute executable programs like desktops, which generally require signatures.”
CertiK further stated that its social media post about the vulnerability intended to raise awareness of the potential issue and remind users of best practices.
Mentioned in this article
Posted In: Analysis, Technology
Author 
Oluwapelumi Adejumo
Oluwapelumi values Bitcoin's potential. He imparts insights on a range of topics like DeFi, hacks, mining and culture, underlining transformative power.
Editor Editor 
Assad Jafri
AJ, a passionate journalist since Yemen's 2011 Arab Spring, has honed his skills worldwide for over a decade. Specializing in financial journalism, he now focuses on crypto reporting.
In this article
CertiK
Founded in 2018 by professors of Yale University and Columbia University, CertiK is a pioneer in blockchain security, utilizing best-in-class AI technology to secure and monitor blockchain protocols and smart contracts.