KB777462

Introduction

It has been observed that the Telegram Android app source code has been poisoned and a rogue feature was introduced, which pursues an unintended behaviour resulting in unsoliticited URL being requested to be opened on Android. This is confirmed a rogue behaviour because this discloses the access token of the account the affected Android clients are signed-in, resulting in unintended data sharing to the Telegram website.

Major clients including those having a wide varienty use in Iran and other countries with dominant surveillance ISPs, are confirmed to be poisoned with this malicious design.

Symptoms

Telegram Android apps assembled/compiled from the source code found in the GitHub repository DrKLO/Telegram have a malicous behaviour which passes additional access tokens with URLs to signed-in accounts to Android with the aim of opening them, if the user taps on the link of the official Telegram Web application in messages. This issue can be reproduced by following these procedures:

1. Send a message to any contact or group containing the URL https://web.telegram.org.
2. Tap on the link contained in the message, the issue is then reproduced. The web browser will open the link with additional contents to the originally sent one, which will cause the Telegram Web application to automatically sign in the user on the Android app. The links may have the following appearance: https://web.telegram.org/k/#[authentication token].

It has been confirmed that current or past versions of Plus Messenger, Graph Messenger, and BGram, are affected by this issue.

Solution

Li Ao believes that this design is not officially disclosed by Telegram. In order to raise public attention and ensure as many people as possible to eliminate from this possibly undisclosed rogue design, a pull request containing a document that describes this issue, in the GitHub repository; this is not an actual open source contribution, however, creating the pull request in the main branch is in the need of documenting this rogue behaviour, because GitHub Issues is disabled for this repository, and doing this will make the requested merge request permanently recorded in the branch it was meant for to be merged. This is aiming to raise public attention to possible security risks for using the source code directly without prior verification. Please see the Git pull action number #f9211a3877473c45ff6b8a349806a63ab71e2d42 for details.

App publishers employing the source code are encouraged to conduct preciously verification before using it directly in their apps, to ensure that supply-chain-based spyware are regulated and controlled, and possible unwanted components can be removed before reaching to end customers.

As a precautionary measure, Li Ao believes that poisoning with malicious codes in the upstream repositories which will be used by many third-party apps is a measure to collect usage reports and possibly telemetry data, in the very beginning after noticed that almost every Telegram apps are derived from the official code, in 2022 or earlier. According to internal control policies he is generally not allowed to transmit sensitive data over Telegram, unless proper encryption and obfuscation to sensitive data are guaranteed.

Customers of surveillance ISPs are encouraged to isolating their environment which runs Telegram apps to prevent surveillance and tracking. Residential Internet connection can be used during account registration and in the early stages before their accounts are entrusted by the Telegram system to prevent sudden account suspensions.

The revealing of this issue has furtherly confirmed the doubts that Telegram accesses user data to some degrees. As a best practice, activists should never trust the functionality of making invisible the phone numbers to keep their private numbers isolated from activities from their accounts using these numbers.