A new vulnerability has been discovered in Telegram, allowing a threat actor to hijack a Telegram user session via XSS (Cross-Site Scripting).
This vulnerability exists in Telegram WebK versions below 2.0.0.
A CVE for this vulnerability is yet to be assigned. However, Telegram has acted swiftly upon this vulnerability and has patched it accordingly. This vulnerability also affects web3 users.
Telegram has an interesting feature called Telegram Mini Apps contains Privileged Session Management, which are web applications that can run within the Telegram Messenger Interface.
These Mini Apps also have other features such as seamless authorization, Integrated Crypto and fiat Payments through Google Pay or Apple Pay, Push Notifications and many others.
A malicious Mini Web App can execute arbitrary JavaScript execution under the impression of web.telegram.org, potentially allowing any hijacking a Session of any Telegram user.
The researcher said this XSS vulnerability is triggered via the web_app_open_link event type via post message.
This event type is designed to open a new tab with a provided URL, which is passed as an argument. In this case, a threat can use the javascript: scheme to save the exploited content within the JS of web.telegram.org, though it opens a new URL tab.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide
A threat actor can create a Bot+Mini App and configure the URL for a malicious website, with the exploit embedded on its homepage.
When this Mini App is provided as a link to another user and clicked, the exploit in the malicious website saves the victim’s session ID in the JS local storage, which the threat actor can then use to hijack the user’s session.
In order to patch this vulnerability, Telegram added the below code which adds a safeWindow URL and adds noreferrer argument to the tab opening that can prevent a newly opened window from sending the Referer header back to the original page.
With this, the new Window is isolated from the original Telegram window alongside the JS execution.
To prevent the exploitation of this vulnerability, users of Telegram WebK 2.0.0 (486) are recommended to upgrade to the latest version of Telegram WebK 2.0.0 (488).
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo
Cyber attacks continue to plague organizations worldwide, with a staggering 67% of businesses reporting they…
Ivanti has disclosed two zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) solution. When chained…
Eric Council Jr., a 26-year-old man from Huntsville, Alabama, was sentenced on May 16, 2025,…
Web Application Firewalls (WAFs) have been a critical defense mechanism protecting web applications from malicious…
As organizations transition to modern management with Microsoft Intune, migrating BitLocker recovery key management from…
A sophisticated hacking group known as UNC3944, which previously targeted major UK retail organizations, has…