KEY POINTS
- The problem in Telegram messenger’s macOS app was discovered in February
- The vulnerability made it possible for malware to access a device’s camera and microphone
- Telegram said the desktop app that can be downloaded through its website does not have this issue
Telegram messenger has fixed a security issue that was detected in its macOS app available via the App Store.
The detected vulnerability made it possible for malware to access a device’s camera and microphone, Meduza reported.
Telegram said in a tweet Tuesday that it has already eliminated the weakness in a new update of the app it just submitted to Apple.
The desktop app that can be downloaded through Telegram’s website does not have this issue, the company said.
The problem was first revealed Monday in a blog post by software engineer Dan Revah.
“[U]sing a vulnerability of a third-party application can grant us additional permissions and allow us to bypass Apple’s privacy mechanism,” his report said.
Matt Johansen, who describes himself as a computer security veteran who has worked with startups and “the biggest financial companies in the world,” broke down the issue in a Twitter thread. He tweeted that the weakness in the Telegram macOS app was first discovered in February.
“The weakness involves macOS’s Transparency, Consent, and Control (TCC) mechanism. This mechanism manages access to ‘privacy-protected’ areas in macOS, which Telegram’s vulnerability can exploit,” Johansen said.
He said that macOS Root users can never access the microphone and screen recording unless the app has “direct user consent or manually granted permissions.”
However, the vulnerability in Telegram’s macOS app was able to “sidestep” this security measure, which, according to Johansen, comes down to “Entitlements and Hardened Runtime.”
Entitlements are the permissions given to a “binary” in order to access privileges in the device like access to the microphone and camera. On the other hand, Hardened Runtime is the one that prevents exploits.
“iOS requires an app to be signed with Hardened Runtime entitlement to be uploaded to the App Store. macOS doesn’t have this requirement. This loophole can potentially leave macOS apps more vulnerable,” Johansen said.
According to the timeline provided by Revah, the vulnerability was discovered on Feb. 2. He said that he contacted security@telegram.org about the issue, but Telegram’s security team reportedly did not address it.
On Feb. 10, the vulnerability was reported to MITRE, a government-funded research organization specializing in cybersecurity issues, and on Feb. 26, it was reported to VINCE to get assistance in coordination with Telegram to fix the issue and make it public.
On Monday, the grace period with VINCE ended, and the vulnerability was disclosed to the public.
A more secure desktop version of Telegram is now awaiting approval from Apple and is expected to be soon made available for download from the App Store.
