Enthusiast Discovers Telegram Flaw, Telegram Corrects

Telegram Security Vulnerability Concerns Addressed
An expert from Russia recently raised concerns about a critical vulnerability in the Telegram messenger that could potentially grant unauthorized access to user accounts without requiring a cloud password or two-factor authentication. The alleged issue was said to occur during authorization via Telegram Widget on third-party websites, particularly within the messenger’s built-in browser. The researcher suggested that this type of authorization could establish sessions with elevated privileges without the account owner’s knowledge. To mitigate potential risks, users were advised to clear their browser history, terminate any suspicious web sessions, delete cookies, and review the list of connected sites and bots. In some cases, reclaiming the account was recommended as a precautionary measure. However, Telegram promptly refuted the reported vulnerability. The company’s specialists clarified that the researcher had misunderstood the mechanism of various authorization methods. According to Telegram, authorization tokens are not linked to full TELEGRAM Web sessions and cannot be exploited to access account data. Telegram stressed that widget authorizations only create restricted sessions designed for specific interactions, such as voting or commenting on external sites. Users can view and terminate these sessions from their device settings, with clear notifications from Telegram provided for transparency. Furthermore, data transmitted through the Login Widget only includes public profile information (name, username, photo) and does not grant access to personal messages or calls, including secret chats. Users have the ability to manually delete all sessions, including widgets, in the settings menu. Telegram highlighted that there have been no recent changes to the authorization system, emphasizing that the system architecture has remained consistent over the years. The company emphasized that capturing a web session or obtaining an authorization token would require physical access to the user’s device or browser. Therefore, Telegram’s official position asserts that the reported vulnerability is unfounded, confirming that the security model for widgets aligns with its intended design and functionality.

Telegram Security Vulnerability Concerns Addressed

An expert from Russia recently raised concerns about a critical vulnerability in the Telegram messenger that could potentially grant unauthorized access to user accounts without requiring a cloud password or two-factor authentication. The alleged issue was said to occur during authorization via Telegram Widget on third-party websites, particularly within the messenger’s built-in browser.

The researcher suggested that this type of authorization could establish sessions with elevated privileges without the account owner’s knowledge. To mitigate potential risks, users were advised to clear their browser history, terminate any suspicious web sessions, delete cookies, and review the list of connected sites and bots. In some cases, reclaiming the account was recommended as a precautionary measure.

However, Telegram promptly refuted the reported vulnerability. The company’s specialists clarified that the researcher had misunderstood the mechanism of various authorization methods. According to Telegram, authorization tokens are not linked to full TELEGRAM Web sessions and cannot be exploited to access account data.

Telegram stressed that widget authorizations only create restricted sessions designed for specific interactions, such as voting or commenting on external sites. Users can view and terminate these sessions from their device settings, with clear notifications from Telegram provided for transparency.

Furthermore, data transmitted through the Login Widget only includes public profile information (name, username, photo) and does not grant access to personal messages or calls, including secret chats. Users have the ability to manually delete all sessions, including widgets, in the settings menu.

Telegram highlighted that there have been no recent changes to the authorization system, emphasizing that the system architecture has remained consistent over the years. The company emphasized that capturing a web session or obtaining an authorization token would require physical access to the user’s device or browser.

Therefore, Telegram’s official position asserts that the reported vulnerability is unfounded, confirming that the security model for widgets aligns with its intended design and functionality.

/Reports, release notes, official announcements.