"Kaspersky Lab found a zero-day vulnerability in Telegram

14 February 2018
Kaspersky Lab experts reported the discovery of a zero-day vulnerability in one of the most popular messengers - Telegram. It is reported that attackers have been using this gap to infect victims' computers since at least March 2017. The vulnerability was found in the Telegram client for Windows. It is known that the attackers used it to install mining software, as well as gain control over the victim's system. The found flaw allowed them to use the classic right-to-left override attack model. It consists of sending the victim files with a special unprintable character - RLO in the name, which mirrors the order of characters following it. RLO is represented in the Unicode table as "U+202E". Typically it is used for writing in Arabic or Hebrew, for example.This is not how attackers use it. During the attack, they would send malicious JS files with the name, for example, photo_high_re*U+202E*gnp.js. In such a case, the recipient would see the name photo_high_resj.png and think an ordinary image was sent to him or her, and would launch the malicious executable on his or her own when trying to view it. Kaspersky Lab specialists have already notified Telegram developers of their finding. As of today, the vulnerability has already been closed. The researchers also shared a curious observation: all of the detected cases of exploitation of the Telegram breach occurred in Russia. This could mean that only attackers from our country were aware of it.