Vulnerability in Telegram bot could allow attackers to remotely connect to victim’s host

• Attackers can exploit this vulnerability in the Telegram network to compromise victim’s host and send its operator information collected from the compromised host.
• This allows the attackers to connect to victim’s host remotely.

A piece of malware dubbed as GoodSender is a simple .NET program. This malware exploits the vulnerability in the Telegram network to compromise the victim’s host and send the information collected from the compromised host to the operator.

Security researchers from Forcepoint discovered that the Telegram Bot API uses a weaker level of protection for the messages. Attackers can exploit this weakness and recover the full messaging history of the target Telegram bot.

Weaker level of protection

Researchers discovered that the Telegram Bot API uses a weaker level of protection for the messages.

The researchers stated that users messages are secured with Telegram's own MTProto encryption within the TLS traffic, but Bot API messages are protected only by the HTTPS layer.

“The bot API token and a randomly generated chat ID are all someone in a man-in-the-middle position needs to accomplish just that. The former piece of information is present in the programs using the Telegram Bot API and in messages, while the latter is sent in Bot API requests,” researchers from Forcepoint said.

“To make matters worse any adversary capable of gaining a few key pieces of information transmitted in every message can not only snoop on messages in transit but can recover the full messaging history of the target bot,” researchers added.

With the use of 'forwardMessage()' method, the entire message log can be accessed, viewed and sent to any user, the Telegram bot has access to. Messages come with incremental IDs starting from zero, which allows identifying all messages in a group and forwarding them to an arbitrary user.

How does this work?

• Once the GoodSender malware is dropped, it creates a new administrator user account and enables remote desktop.
• The malware ensures that it's not blocked by the firewall.
• The username for the newly created admin account remains static but the password is randomly generated.
• All of this information (the username, password, and IP address of the victim) is sent to the operator through the Telegram network, thus providing the operator with access to the victim’s computer through RDP.

However, Forcepoint has reported the issue to Telegram and recommends users to avoid using Telegram bots and Telegram channels/groups with a bot.