Telegram Dismisses Download Vulnerability Allegations as Hoax

Blockchain security firm CertiK has asserted the discovery of a significant vulnerability within the Telegram messenger, potentially exposing users to malicious attacks.

However, Telegram itself refutes these claims, dismissing the purported threat as a hoax.

CertiK Alert took to X (previously known as Twitter), alerting the public to a "high-risk vulnerability in the wild," which could enable hackers to execute remote code attacks (RCE) through Telegram's media processing.

Certik noted:

"This issue exposes users to malicious attacks through specially crafted media files, such as images or videos.”

However, at the time of writing, the post is no longer up.

According to CertiK, the vulnerability specifically affects the Telegram Desktop application.

CertiK recommends users to mitigate the risk by disabling the auto-download feature within Telegram Desktop settings.

Certik pointed out that:

“Under the 'Automatic Media Download' section, disable auto-download for 'Photos', 'Videos', and 'Files' across all chat types (Private chats, groups, and channels)."

Despite this warning, Telegram has refuted the existence of such a vulnerability, categorising it as likely a hoax.

While Telegram denies the danger posed by auto-downloading media files, crypto enthusiast Yannick Eckl notes that this issue is not new, being acknowledged within certain IT-security circles.

Nevertheless, Telegram continues to address potential vulnerabilities through its longstanding bug bounty programme, offering rewards to developers and security researchers who report issues, ranging from $100 to over $100,000, depending on severity.