Pavel Durov denies Telegram vulnerability accusations
Telegram founder Pavel Durov has denied accusations of a vulnerability in the app for MacOS. Russian newspapers had reported that Telegram had “confirmed the vulnerability” in Apple’s computer application. However, Durov clarified that no such vulnerability existed, as the user’s computer had to be compromised for it to occur. An attacker required access to the victim’s computer to control their camera and microphone via the Telegram app. Durov criticized sensationalist media coverage of technical issues that could mislead users into underestimating real threats.
The news follows the discovery of a vulnerability in the Telegram app for MacOS earlier this year. A Google security engineer found that a harmful dynamic library could be introduced into the app, bypassing Apple’s TCC mechanism that prevents third-party apps from accessing a device’s camera and microphone. An attacker could activate a computer camera and record a video without the user’s knowledge. Telegram vulnerability was identified under the number CVE-2023-26818 in February, but Telegram did not respond to the researcher’s attempts to report the issue.
Durov highlighted the danger of sensationalist media coverage undermining serious reports of vulnerabilities. For example, WhatsApp had suffered a vulnerability that enabled hackers to gain full access to a user’s phone simply by placing a call or watching a video. Durov suggested that the media should avoid conflating imaginary and real threats, or risk losing credibility.