Shock horror! Telegram messaging app proves insecure yet again!

Unicode clumsiness allowed months of malware installations

Telegram has fixed a security flaw in its desktop app that hackers spent several months exploiting to install remote-control malware and cryptocurrency miners on vulnerable Windows PCs.

The programming cockup was spotted by researchers at Kaspersky in October. It is believed miscreants have been leveraging the bug since at least March. The vulnerability stems from how its online chat app handles Unicode characters for languages that are read right-to-left, such as Hebrew and Arabic.

A JavaScript file could be sent as a message attachment to a victim, with the filename crafted to exploit the Unicode bug and cover up the fact it's a .js document. This tricks the mark into opening what appears to be a safe .png attachment. Windows asks the victim if they are sure they want to open the JavaScript file: if they select "Run," or configure their PC to not bother asking, then the script is executed, and malware is downloaded and run.

This software nasty can open a backdoor, snoop on the mark, mine alt-coins, and so on. Telegram has, we're told, corrected the mistake in its open-source application.

"The special nonprinting right-to-left override (RLO) character is used to reverse the order of the characters that come after that character in the string," Kaspersky's Alexey Firsh explained today.

"In the Unicode character table, it is represented as ‘U+202E’; one area of legitimate use is when typing Arabic text.

"In an attack, this character can be used to mislead the victim. It is usually used when displaying the name and extension of an executable file: a piece of software vulnerable to this sort of attack will display the filename incompletely or in reverse."


Insecurity via obfuscation ... A .JS file disguised as a .PNG using Telegram's Unicode handling bug

The Kaspersky crew discovered hackers exploiting this blunder in a number of ways. First off it was being used to trick victims into installing a remote-access trojan that would regularly ping Russian servers, and opened a backdoor so that miscreants to remotely control the infected system.

In keeping with current trends, hackers were also using the security hole to install multiple copies of cyber-cash mining software that crafted Zcash, Fantomcoin and Monero coins.

"It appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia. Also, while conducting a detailed research of these attacks we discovered a lot of artifacts that pointed to involvement by Russian cybercriminals," Firsh's advisory read.

"We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability. What we do know is that its exploitation in Windows clients began in March 2017. We informed the Telegram developers of the problem, and the vulnerability no longer occurs in Telegram’s products."

It has been less than a year since the last big Telegram flaw, and there have been persistent questions about its security. The fact it doesn't encrypt messages end-to-end by default, and that it uses its own homegrown cryptography, worries experts. Telegram insists its software is secure.

Activists in repressive regimes may want to use something more tried-and-tested, such as Signal, to avoid accidentally beating themselves to death while committing suicide. ®

Similar topics

Other stories you might like

  • UK Home Secretary delays Autonomy founder extradition decision to mid-December

    Could be a Christmas surprise in store from Priti Patel

    Autonomy Trial Autonomy founder Mike Lynch's pending extradition to the US has been kicked into the long grass again by the UK Home Office.

    Lynch is wanted in the US to stand trial on 17 charges of fraud and false accounting. He is alleged to have defrauded Hewlett Packard investors over the sale of British software firm Autonomy in 2011.

    Continue reading
  • Want to buy your own piece of the Pi? No 'urgency' says Upton of the listing rumours

    A British success story... what happens next?

    Industry talk is continuing to circulate regarding a possible public listing of the UK makers of the diminutive Raspberry Pi computer.

    Over the weekend, The Telegraph reported that a spring listing could be in the offing, with a valuation of more than £370m.

    Pi boss, Eben Upton, described the newspaper's article as "interesting" in an email to The Register today, before repeating that "we're always looking at ways to fund the future growth of the business, but the $45m we raised in September has taken some of the urgency out of that."

    Continue reading
  • All change at JetBrains: Remote development now, new IDE previewed

    Security, collaboration, flexible working: Fleet does it all apparently

    JetBrains has introduced remote development for its range of IDEs as well as previewing a new IDE called Fleet, which will form the basis for fresh tools covering all major programming languages.

    JetBrains has a core IDE used for the IntelliJ IDEA Java tool as well other IDEs such as Android Studio, the official programming environment for Google Android, PyCharm for Python, Rider for C#, and so on. The IDEs run on the Java virtual machine (JVM) and are coded using Java and Kotlin, the latter being primarily a JVM language but with options for compiling to JavaScript or native code.

    Fleet is "both an IDE and a lightweight code editor," said the company in its product announcement, suggesting perhaps that it is feeling some pressure from the success of Microsoft's Visual Studio Code, which is an extensible code editor. Initial language support is for Java, Kotlin, Go, Python, Rust, and JavaScript, though other languages such as C# will follow. Again like VS Code, Fleet can run on a local machine or on a remote server. The new IDE uses technology developed for IntelliJ such as its code-processing engine for features such as code completion and refactoring.

    Continue reading

Biting the hand that feeds IT © 1998–2021