Blockchain security firm CertiK has claimed to have identified a significant vulnerability in Telegram Messenger that could potentially expose users to malicious attacks. However, Telegram has dismissed the threat, labeling it as a scam.
According to CertiK Alert, the security firm discovered a potential Remote Code Execution (RCE) attack within Telegram's media handling functionality in the desktop version of the app. This vulnerability could allow attackers to exploit specially crafted media files, such as images or videos, to launch malicious attacks on users.
A spokesperson for CertiK explained that the vulnerability is specific to the desktop version of Telegram, as mobile devices do not directly execute executables like their desktop counterparts. The information about this issue was brought to CertiK's attention by the security community.
To mitigate the risk posed by this vulnerability, CertiK advised users to review their Telegram Desktop settings and disable automatic downloads of media files. This precautionary measure can be implemented by accessing the Settings menu and navigating to the Advanced section, where users can disable automatic downloads of photos, videos, and files in all chat types.
Despite CertiK's warning, Telegram has refuted the existence of such a vulnerability in its client. The company labeled the threat as likely being a hoax and stated that it cannot confirm the reported vulnerability. Telegram emphasized its commitment to maintaining the security of its platform and flagged the purported threat accordingly.
While Telegram maintains that automatic media downloads do not pose a threat, cybersecurity experts have highlighted similar issues in the past. These concerns underscore the importance of ongoing vigilance and proactive measures to safeguard users against potential security risks. Telegram's bug bounty program, which has been active since 2014, further demonstrates the company's dedication to addressing vulnerabilities and enhancing platform security.
