A piece of malware dubbed as GoodSender is a simple .NET program. This malware exploits the vulnerability in the Telegram network to compromise the victim’s host and send the information collected from the compromised host to the operator.
Security researchers from Forcepoint discovered that the Telegram Bot API uses a weaker level of protection for the messages. Attackers can exploit this weakness and recover the full messaging history of the target Telegram bot.
Weaker level of protection
Researchers discovered that the Telegram Bot API uses a weaker level of protection for the messages.
The researchers stated that users messages are secured with Telegram's own MTProto encryption within the TLS traffic, but Bot API messages are protected only by the HTTPS layer.
“The bot API token and a randomly generated chat ID are all someone in a man-in-the-middle position needs to accomplish just that. The former piece of information is present in the programs using the Telegram Bot API and in messages, while the latter is sent in Bot API requests,” researchers from Forcepoint said.
“To make matters worse any adversary capable of gaining a few key pieces of information transmitted in every message can not only snoop on messages in transit but can recover the full messaging history of the target bot,” researchers added.
With the use of 'forwardMessage()' method, the entire message log can be accessed, viewed and sent to any user, the Telegram bot has access to. Messages come with incremental IDs starting from zero, which allows identifying all messages in a group and forwarding them to an arbitrary user.
How does this work?
However, Forcepoint has reported the issue to Telegram and recommends users to avoid using Telegram bots and Telegram channels/groups with a bot.
Publisher