Pavel Durov denied Telegram vulnerability on macOS

Pavel Durov commented Appeared messages about the vulnerability in the application Telegram for macOS. He argues that in reality there is no vulnerability, since for this the user’s computer must already be compromised.

Russian newspapers write that Telegram allegedly “confirmed vulnerability” in the application for computers from Apple. This is not the case.

On the contrary, in our post we explained that there was no vulnerability. Because the stated “vulnerability” was as follows: “If an attacker already had access to your computer, he could control your camera and microphone via Telegram.” But if the computer is already compromised, then accessing the microphone via Telegram is the least of the problems to worry about.

As I noted earlier, in technical aspects, the media often chase big headlines and mislead users.

This is sad: as a result, people may not attach importance to real threats. For example, in WhatsApp, simply accepting a call or watching a video was enough for an attacker to gain full access to your phone. Because of this vulnerability, WhatsApp became a spyware that allowed hackers to hijack any smartphone with WhatsApp.

If the media headlines about imaginary and real threats are the same, people will stop taking them seriously – it will turn out like in the fable about the boy who unnecessarily shouted “Wolf”.

As previously reported security engineer Google discovered a vulnerability in the Telegram app for macOS that could be used to gain unauthorized access to the device’s camera. Usually, the TCC mechanism provided by Apple prevents third-party software from accessing the camera and microphone, but the researcher found that a malicious dynamic library (Dylib) can be injected into the Telegram application that bypasses this protection. Thus, an attacker can activate the computer’s camera and record video without any notification or indication to the user.

The Telegram vulnerability was identified as CVE-2023-26818 back in February of this year. The researcher tried to contact Telegram to fix the problem, but did not receive a response. As a result, he published a report disclosing information about the vulnerability.