CVE-2018-20436

Name of the Vulnerable Software and Affected Versions Telegram version 4.9.1 Telegram Web-version 0.7.0

Description The issue concerns a side channel in the "secret chat" feature where Telegram servers send GET requests for URLs typed while composing a chat message, before the message is sent. Additionally, GET requests are sent to other URLs on the same web server. This can also be interpreted as a Server-Side Request Forgery (SSRF) issue. A third party has reported that the behavior may be caused by misconfiguration of the "Secret chats > Preview links" setting.

Recommendations For Telegram version 4.9.1, consider disabling the "Secret chats > Preview links" setting to minimize the risk of exploitation. For Telegram Web-version 0.7.0, restrict access to the "secret chat" feature until the issue is resolved. As a temporary workaround, avoid using the "secret chat" feature in affected versions until a fix is available.