SB2020101411 - Information disclosure in Telegram Desktop

Description

This security bulletin contains information about 1 security vulnerability.

1) Missing Authorization (CVE-ID: CVE-2020-25824)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the application does not require passcode entry upon pushing the Export key within the Export Telegram Data wizard. The threat model is a victim who has voluntarily opened Export Wizard but is then distracted. An attacker then approaches the unattended desktop and pushes the Export key. This attacker may consequently gain access to all chat conversation and media files.

Remediation

Install update from vendor's website.

References

• https://github.com/soheilsamanabadi/vulnerability/blob/main/Telegram-Desktop-CVE-2020-25824
• https://github.com/telegramdesktop/tdesktop/releases/tag/v2.4.3
• https://security.gentoo.org/glsa/202101-34
• https://www.Telegram.org