Telegram Web App XSS Flaw

A new vulnerability has been discovered in Telegram, allowing a threat actor to hijack a Telegram user session via XSS (Cross-Site Scripting).

This vulnerability exists in Telegram WebK versions below 2.0.0.

A CVE for this vulnerability is yet to be assigned. However, Telegram has acted swiftly upon this vulnerability and has patched it accordingly. This vulnerability also affects web3 users.

Technical Analysis

Telegram has an interesting feature called Telegram Mini Apps, which are web applications that can run within the Telegram Messenger Interface. 

These Mini Apps also have other features such as seamless authorization, Integrated Crypto and fiat Payments through Google Pay or Apple Pay, Push Notifications and many others.

A malicious Mini Web App can execute arbitrary JavaScript execution under the impression of web.telegram.org, potentially allowing any hijacking a Session of any Telegram user.

The researcher said this XSS vulnerability is triggered via the web_app_open_link event type via post message.

This event type is designed to open a new tab with a provided URL, which is passed as an argument. In this case, a threat can use the javascript: scheme to save the exploited content within the JS of web.telegram.org, though it opens a new URL tab.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

A threat actor can create a Bot+Mini App and configure the URL for a malicious website, with the exploit embedded on its homepage.

When this Mini App is provided as a link to another user and clicked, the exploit in the malicious website saves the victim’s session ID in the JS local storage, which the threat actor can then use to hijack the user’s session.

How Did Telegram Patch?

In order to patch this vulnerability, Telegram added the below code which adds a safeWindow URL and adds noreferrer argument to the tab opening that can prevent a newly opened window from sending the Referer header back to the original page. 

With this, the new Window is isolated from the original Telegram window alongside the JS execution.

To prevent the exploitation of this vulnerability, users of Telegram WebK 2.0.0 (486) are recommended to upgrade to the latest version of Telegram WebK 2.0.0 (488).

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo