Telegram Patches Zero-Day Python Script Vulnerability in Windows Client

Telegram recently patched a zero-day vulnerability exposing Windows users to malicious Python script attacks. Criminals could use the vulnerability to bypass the Telegram Windows client’s security warnings and launch Python scripts automatically on the target’s machine.

As BleepingComputer reported recently, recent rumors on hacking forums and X describe an “alleged remote code execution” vulnerability affecting Telegram’s Windows client.

Alleged Zero-click Flaw Actually Requires User Interaction

Although the shortcoming was described as a zero-click flaw, fortunately, the vulnerability required user interaction to propagate on targeted systems, as shown in a video demo on social media.

Telegram was quick to dismiss the rumors, stating that it “can’t confirm that such a vulnerability exists” and that the “video is likely a hoax.”

Proof-of-concept Exploit Released

However, shortly after, an XSS hacking forum user shared a proof-of-concept (POC) exploit, explaining that the vulnerability depicted in the video was caused by a typo in Telegram for Windows’ source code. According to the POC, the flaw could be exploited to send .pyzw Python scripts; when clicked, the files would bypass the client’s security warnings.

Telegram has built-in security mechanisms that prevent the execution of certain file types without warning. After receiving one of these potentially risky files, users are prompted with a security warning if they try to open them straight from the client (i.e., by clicking them).

The message warns users of the file’s extension, saying the document may harm their computer and asking for confirmation to launch or open it. Unfortunately, unrecognized file types fail to trigger this warning; the client launches them automatically, letting Windows decide which program to use.

Vulnerability Doesn’t Work Without Python for Windows

The vulnerability only works on machines where Python for Windows is installed. Once the user clicks the .pyzw script, Python automatically executes it.

Although Telegram correctly recognized the .pyzw format as potentially harmful and added it to the list of “risky” executable file extensions, a typo threw a wrench in the security mechanism. The source code included .pywz as a potentially harmful extension, leading to files carrying the correct .pyzw extension being able to bypass the security warnings.

In other words, threat actors who would send maliciously crafted .pyzw Python scripts to unsuspecting Telegram for Windows users could have executed arbitrary code remotely on their machines. Granted, this could only happen if the victim actually opened the rogue document.

Malicious Python Scripts Disguised as Shared Video Files

To make matters worse, researchers found a way to obfuscate the attack further, masquerading the malicious script as a shared video, along with a thumbnail. This cunning strategy could easily trick users into interacting with the rogue Python script, unwittingly launching it on their computers.

Telegram Patched the Windows Client

Telegram was made aware of the vulnerability on April 10, and they patched it by correcting the mistyped extension spelling in the Windows client’s source code.

However, the fix doesn’t yet show the warning for the other harmful extensions; instead, it asks you which program to use to open the script instead of automatically launching it in Python.

Although Telegram addressed the issue by rolling out a server-side fix, malicious Python scripts in instant messaging clients are only one of the online risks you’re exposed to.

Specialized security software like Bitdefender Ultimate Security can protect your devices from a broad range of intrusions, including zero-day exploits, viruses, Trojans, worms, rootkits, spyware, ransomware, and others.