Google developer found a vulnerability in Telegram app


The version downloaded from AppStore gives unauthorized access to MacBook camera and microphone.

The Telegram application for MacBook can be used to gain access to the device's camera and microphone. The vulnerability that allows this was discovered by Google developer Dan Revah, who explained his discovery in his blog

The programmer found the vulnerability back in February 2023, but he published the information in May because Telegram had not responded to his privacy threat messages. 

The security flaw found in Telegram allows for recording any video from the MacBook's camera and audio from the microphone by leveraging the fact that the user granted Telegram permission to access the camera and microphone. In general, such actions are usually restricted in the macOS operating system, but Dan Revah found a way to bypass them using the permissions granted to the Telegram application.

He coded a command that successfully prompted the video recording process using the Telegram infrastructure and then saved the recorded video.

A vulnerability is a possibility to disrupt the functioning of an application, so the mere existence of a vulnerability does not necessarily mean that it has been exploited. However, when vulnerabilities are discovered, especially those threatening users’ safety and privacy, companies that own the applications typically seek to eliminate them. That has not happened to Telegram, said Revah.

The official Telegram account tweeted that the vulnerability could only be exploited if someone already had access to the victim's MacBook.

Furthermore, the vulnerability only works for the app version downloaded from the App Store, while the version downloaded from the official website does not have it.

In February 2023, the Wired magazine reported on the possibility of extracting information from private or closed chats in Telegram, despite privacy settings.

Telegram is a major messenger in Russia, being used by almost half of residents. The app is criticized for not using end-to-end encryption by default for regular conversations, like WhatsApp, for example. It employs this scheme only in "secret chats," which are used by few people.

In the past, there were rumors that Telegram collaborates with the Russian security agencies. Its creator, Pavel Durov, claimed in 2014 that the development company behind the app had been seized by allies of President Vladimir Putin and used to track down dissidents.