Possible RCE flaw in Telegram desktop app, company denies.
Take action: If you are using Telegram desktop application, disable the auto-download feature for media files. Then be careful what files you accept and from whom. Even if it's not a vulnerability, auto-download of files may not be the best choice.
Learn More
A security vulnerability has been raised in the Telegram desktop application by the cryptocurrency security organization CertiK. There is no current reports of similar vulnerabilities on mobile devices. As of now, there has been no official response from Telegram regarding this vulnerability.
The flaw is categorized as a Remote Code Execution (RCE) vulnerability as it enables attackers to execute malicious code on a user's system by sending specially crafted media files, such as images or videos. The organization raised the issue via a tweet and focuses on the risk of hackers can gain access to the operating system and subsequently to the user's cryptocurrency wallets, posing a direct risk to their funds.
In general, the attackers will be able to take over the computer, even if there is no crypto wallet there.
To mitigate the risk, it is strongly recommended that Telegram users disable the auto-download feature for media files. This can be accomplished by navigating to the app settings, selecting "Advanced," and then deactivating the auto-download option for photos, videos, and files across all chat types.
Update - Telegram's official representative stated that they are unable to confirm the existence of the vulnerability that was mentioned in the Certik's warning. They have also characterized the viral video that the news is based on as a hoax.
