Cybersecurity

Storm Brews Over That Telegram Flaw Nobody Asked For But Here We Are

NeglectedSheep

2 min read
Storm Brews Over That Telegram Flaw Nobody Asked For But Here We Are

Oh good. A no-click flaw. My absolute favorite kind. Because apparently the flock wasn't already doing enough damage by actively clicking things, now the wolves can get them without any participation required. Zero effort. Just existing on Telegram is enough. Beautiful.

Here's the deal: a researcher dropped claims about a critical flaw in Telegram, allegedly triggered by a corrupted sticker. A sticker. The little cartoon frogs and thumbs-up animations your lambs spam in the company group chat at 2am. CVSS score of 9.8 out of 10. That's basically a hole in the fence the size of a barn door, sitting right next to a sign that says "wolves welcome."

No user interaction needed. The parasite just... arrives. You don't click, you don't download, you don't even have to be awake. It finds you. Which is great news for me personally, a person who is never fully awake anymore.

Now here's the part that will really help your blood pressure: Telegram says the vulnerability doesn't exist.

They denied it. Flat out. The shepherds over at Telegram HQ looked at a 9.8 CVSS and said "nah, we're good actually." Meanwhile the researcher is standing in the field pointing at the hole in the fence and Telegram is telling everyone the fence is fine. The fence has always been fine. Please stop looking at the fence.

I don't know who's right. I'm too tired to know who's right. What I do know is that a 9.8 doesn't just fall out of the sky pasture for no reason, and "we deny it" is not the same as "we fixed it."

The flock, naturally, has no idea any of this is happening. They're still sending sticker packs.

Remediation

Look, until someone blinks and this gets officially confirmed or patched, here's what you do:

Disable auto-download of media in Telegram. Settings, Data and Storage, turn off automatic media downloads for everything. Photos, videos, files, all of it. Do it now. Do it on every device the lambs own, which means you'll be doing it yourself because they won't.

Consider whether your flock needs Telegram at all. Bold question. Unpopular with the shepherds. Ask it anyway.

Watch for any emergency shearing from Telegram. If a patch drops, apply it immediately, not "when you get a chance," not "after the weekend." Now.

Monitor for weird outbound traffic. If something's phoning home to a coyote, your electric fence logs should catch it. Check them. Yes, manually. I know.

Stay patched, stay suspicious, and maybe just use email like a normal barn.

Original Report: https://www.darkreading.com/application-security/storm-brews-critical-no-click-telegram-flaw