Modern Web Applications nowadays are relaying on a lot of technologies where typical web applications vulnerabilities are hard to find (eg. Clickjacking is an ABC security bug) but bug hunters are always the best!
Let’s know Telegram more, Telegram is a cloud-based instant messaging service. Telegram clients exist for both mobile (Android, iOS, Windows Phone, Ubuntu Touch) and desktop systems (Windows, OS X, Linux). Users can send messages and exchange photos, videos, stickers and files of any type. Telegram also provides optional end-to-end encrypted messaging with self-destruct timers, but these features have been contested by security researchers and cryptography experts.
Telegram is supported by the Russian-born entrepreneur Pavel Durov, who is now a citizen of Saint Kitts and Nevis, travelling the world in self-imposed exile.Its client-side code is open-source software, whereas its server-side code is closed-sourced and proprietary. The service also provides APIs to independent developers.
Telegram was and still a well-known messenger application for it’s strong end-to-end encryption, But how it is useful to have a strong crypto and a weak client!
Let’s tell you our story behind digging into Telegram’s Web Client…
[*] The bug:
0. Telegram web client is not protecting itself from clickjacking with the typical “X-Frame-Options” header but uses a JS frame busting technique to prevent the website to be iframed, By exploiting one of HTML5 Features “Sandboxed Iframes” Iframing Telegram will be possible and we will never redirected to the top window location!
[*] Rolling around the bug:
Telegram is using an additional CSS trick, The main web app style sets the display property with “none” value for the whole HTML Tag which makes the whole view invisible this lowered our attack surface but there’s still hope!
So all what we need now is to block the access of the style file which is responsible for styling the main web app html! Here comes the next part of exploitation!
[*] The Prerequisites:
1. Attacker will MITMing the Local Network and if he was able to Prevent access to this resource/path https://web.telegram.org/css/app.css
[*] This part can be done by some tricks/other bugs (eg. Deep Packet Inspection)
[*] We disclosed a more efficient way than (MITMing a network) to achieve this step to Telegram Security Team!
[*] The Attack Scenario:
2. Iframing the Settings page with a sandboxed iframe to prevent redirecting to top window and allow scripts to be running.
[*] The Impact: What attacker can achieve?
– Change sensitive information of the currently logged in telegram users (Password, Recovery Emails, etc..)
– Send messages in behalf of currently logged in telegram users
– Send Contact requests in behalf of currently logged in telegram users
– Send Group invites in behalf of currently logged in telegram users
– Mark all the victim’s messages as Read [CSRF] (By iframing the url paths to the conversations. eg: https://web.telegram.org/#/im?p=@SymbianSyMoh)
This bug has been fixed now, Telegram Web Client applied “X-Frame-Options” header on server side!
The PoC Video:
Building a website? Or already built a one? Think twice before going public and let us protect your business!