Missing Authorization in Telegram Desktop for Windows - CVE-2020-25824
Published: October 14, 2020 / Updated: January 28, 2021
Vulnerability identifier: #VU50073
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-25824
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Telegram Desktop for Windows
Telegram Desktop for Windows
Software vendor:
Telegram
Telegram
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the application does not require passcode entry upon pushing the Export key within the Export Telegram Data wizard. The threat model is a victim who has voluntarily opened Export Wizard but is then distracted. An attacker then approaches the unattended desktop and pushes the Export key. This attacker may consequently gain access to all chat conversation and media files.
Remediation
Install updates from vendor's website.