Google Security Engineer Discovers Vulnerability in Telegram App on MacOS
A security engineer at Google has identified a vulnerability in the Telegram messaging application on MacOS, which could allow unauthorized access to the user’s device camera. Apple’s TCC mechanism usually prevents third-party software from accessing components such as the camera or microphone. Even administrators are not able to use them without the appropriate permissions. However, Telegram requires access to the camera and microphone for video calls.
The engineer found that a lack of a “secure execution environment” in the Telegram app for MacOS enabled a malicious dynamic library (Dylib) to be introduced using the “Dyld_insert_Libraries” variable, providing access to certain functions, including the device camera. The Dylib is able to activate the camera and record video without notification or system indications of its use. The recorded video is stored locally in the “/TMP/telegram.logs” file.
The vulnerability, identified as CVE-2023-26818, was discovered on 3 February, but despite the researcher’s correspondence with Telegram’s security services, no action has been taken to resolve it. The researcher has now published a report including all the information required for a novice attacker to exploit the vulnerability.
While this vulnerability may be used to record video without the user’s knowledge, the researcher suggests it could also be used to broadcast video directly to an external URL address, opening up significant opportunities for surveillance in real time.
At the time of writing, Telegram has not commented on the situation. However, it is expected that a solution will be forthcoming in response to the discovery of this vulnerability.