Messaging app Telegram denies users were at risk after a security exploit was discovered that could allow attackers to gain control of a device’s camera on macOS systems.
Messaging application Telegram has played down the severity of an discovered exploit that allowed researchers to gain access to camera systems of Apple macOS users.
Software engineer Dan Revah flagged the exploit in a blog post on May 15, outlining the method which allowed him to gain local privilege escalation to access a macOS user’s camera through permissions previously granted to an installed Telegram application.
By injecting a Dynamic Library into a user’s system, the exploit would allow recording from the device’s camera and the ability to save the file. Revah also claims that the exploit allows an attacker to bypass the Sandbox of the terminal using LaunchAgent. An attacker would also be able to gain more privileges to the system by accessing privacy-restricted areas.
Related: TON Telegram integration highlights synergy of blockchain community
Cointelegraph reached out to Telegram to ascertain whether its team had addressed concerns raised by Revah and the severity of the identified exploit. Telegram spokesperson Remi Vaughn said that Telegram users are not at risk by default, with the exploit requiring malware to be installed on their systems:
“This situation has more to do with Apple's permission security than it does with Telegram and can potentially affect any macOS app as a result. The real issue is that it seems to be possible to bypass Apple’s sandbox restrictions that were created specifically to prevent such abuse of third-party apps.”
Vaughn said that Telegram had executed changes that received approval by the App Store late on May 16. He also added that users that downloaded the Telegram app directly from the messaging application’s website were not at risk.
Cointelegraph has reached out to Apple for official comment regarding the exploit.
Telegram released an update in December 2022 which enables users to create accounts using blockchain-based anonymous numbers in a move to increase privacy and security.
The feature requires users to purchase blockchain-powered anonymous numbers from decentralized auction platform Fragment. User names and anonymous numbers sold on the platform are only compatible with Telegram and are bought and sold using the app’s native The Open Network (TON) tokens.
Telegram founder Pavel Durov indicated that the platform would be building a host of decentralized tools and services in November 2022, following the collapse of Sam Bankman-Fried’s FTX cryptocurrency exchange.
Magazine: Ordinals turned Bitcoin into a worse version of Ethereum: Can we fix it?
