Vulnerability in Telegram's Secret Chat Feature Affects Multiple Products
CVE-2018-20436

8.1HIGH

Key Information:

Vendor

Telegram

Status
Web
Telegram
Vendor
CVE Published:
24 December 2018
đź”” Create Telegram Vulnerability Alert

What is CVE-2018-20436?

The secret chat functionality in Telegram versions such as 4.9.1 for Android exhibits a significant security issue where Telegram servers make GET requests to URLs entered while composing messages. This behavior can inadvertently lead to sensitive data exposure if certain settings are misconfigured. It resembles a Server-Side Request Forgery (SSRF) issue, which allows attackers to exploit the behavior of the application by manipulating input URLs. This flaw could also extend to other products within the Telegram ecosystem, raising concerns over user privacy and data protection.

References

https://misteralfa-hack.blogspot.com/2018/12/abusando-de-...
x_refsource_MISC
https://misteralfa-hack.blogspot.com/2018/12/telegram-sie...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.