PT-2020-16227 · Telegram+1 · Telegram Desktop+1

Soheil Samanabadi

Published

2020-10-14

Updated

2021-07-21

CVE-2020-25824

CVSS v3.1

2.4

Low

Vector

AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Telegram Desktop versions 2.4.3 and earlier

Description The issue allows an attacker to access all chat conversations and media files without requiring a passcode when the Export key is pushed within the Export Telegram Data wizard. This can happen if the victim has opened the Export Wizard and is then distracted, leaving the desktop unattended. The attacker can then push the Export key to gain access to sensitive data.

Recommendations For Telegram Desktop versions 2.4.3 and earlier, as a temporary workaround, consider disabling the Export Telegram Data wizard until a patch is available. Restrict access to the Export key within the wizard to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

ALT-PU-2020-3181

CVE-2020-25824

Affected Products

Alt Linux

Telegram Desktop

PT-2020-16227 · Telegram+1 · Telegram Desktop+1

CVE-2020-25824

Weakness Enumeration

Related Identifiers

Affected Products

References · 7