A dangerous bug was discovered in Telegram that allows attackers to activate the camera and microphone on laptops with macOS. This was announced by Google engineer Dan Reva, writes Forbes.
He discovered a vulnerability in the Telegram app for macOS and was able to bypass the TCC by giving unauthorized access to the user’s sensitive data and recording the user through the camera.
CVE-2023-26818: Latest blog post on how I found a vulnerability in Telegram's macOS app and was able to bypass TCC, giving me unauthorized access to sensitive user data and recording the user via camera. 🔒 📸#Cybersecurity #macOS https://t.co/HJwvJSE7Tv
— Dan Revah (@danrevah) May 15, 2023
For his part, cyber security specialist Matt Johansen explained that this bug allows attackers to record video with sound from the camera and save the file in a hidden folder on the Mac. At the same time, recording can be done even if the corresponding permissions are disabled. The expert believes that this is possible because Telegram does not use the built-in Apple Hardened Runtime security mechanism.
🚨 A new vulnerability found in Telegram that can grant access to your camera and microphone.
Found by an engineer at Google, reported to Telegram and they haven't addressed it.
So now we get a detailed public disclosure!
How this works and what it means for your privacy 👇
— Matt Johansen (@mattjay) May 15, 2023
It is noteworthy that a Google engineer reported this vulnerability back in February of this year. But the developers still haven’t removed it.
At the same time, Telegram assures that remote access to cameras and microphones is possible only if malicious software with root access is installed on the Mac. This situation is also real when using Telegram for macOS, which is downloaded from the App Store and an update with a fix is pending.
“If you downloaded the program from our site, it will not affect you,” Telegram warned.
It was previously reported that Telegram for macOS received a new Power Saving Mode, which should reduce the power consumption of the application. The innovation is available in version Telegram 9.4.1.