Share this page!

Enter Twitter Thread URL to Unroll

Needs to be the full URL like: https://twitter.com/threadreaderapp/status/1644127596119195649

How to get URL link on Twitter App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Matt Johansen Profile picture
@mattjay
May 15 12 tweets 3 min read Twitter logo Read on Twitter
🚨 A new vulnerability found in Telegram that can grant access to your camera and microphone.

Found by an engineer at Google, reported to Telegram and they haven't addressed it.

So now we get a detailed public disclosure!

How this works and what it means for your privacy 👇
Even macOS Root users can't access the microphone or screen recording unless the app has direct user consent or manually granted permissions.

But this newly discovered weakness in Telegram's macOS application can sidestep that security measure.
The weakness was discovered in February, and despite attempts to alert Telegram's security team, the issue remains unresolved.

The vulnerability was publicly disclosed today after the grace period with VINCE expired.
The weakness involves macOS's Transparency, Consent, and Control (TCC) mechanism.

This mechanism manages access to "privacy-protected" areas in macOS, which Telegram's vulnerability can exploit.
What makes an application like Telegram susceptible to this? It comes down to Entitlements and Hardened Runtime.

Entitlements are permissions given to a binary to obtain certain privileges like accessing the microphone. Hardened Runtime prevents certain types of exploits.
iOS requires an app to be signed with Hardened Runtime entitlement to be uploaded to the App Store

macOS doesn't have this requirement

This loophole can potentially leave macOS apps more vulnerable.
DYLD_INSERT_LIBRARIES, an environment variable, is instrumental here.

It contains a list of libraries that load before an application starts up

In Telegram's case, it allowed a dylib injection because it was not defined as "Hardened Runtime"
To demonstrate, the researchers created a dylib in Objective-C that captures video from the camera and saves the recording to a file

It was successfully loaded into the Telegram app, bypassing the hardened runtime restrictions
However, when trying to inject the dylib into Telegram, the Terminal app tried to access the video instead of Telegram due to Sandbox restrictions

The researchers had to bypass the Terminal's Sandbox using LaunchAgents to successfully load the dylib into Telegram
The result? A successful Dylib injection that was able to use the permissions granted to Telegram to record the user.

This effectively bypasses Apple's privacy mechanisms, raising security concerns.
Thanks @danrevah for the awesome research and write up.

To read the whole thing check out Dan's blog:
danrevah.github.io/2023/05/15/CVE…

Stay safe out there!
Want to get news like this from me every week?

mattjay.com/newsletter

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matt Johansen

Matt Johansen Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mattjay

Matt Johansen Profile picture
Mar 22
🎓A masterclass in vulnerability chaining to achieve a much more impactful exploit:

XSS -> Steal everyone's cleartext passwords.

This one is from the archives - a 2018 bug. But it demonstrates some concepts important even today.
McDonalds AngularJS app had a fairly simple XSS bug in its search parameter. It required a sandbox escape but it was a widely known one at the time and was built into Burp:

{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
The next thing McDonalds did wrong was store the user's password client side with some weak crypto libraries.

Just an overall bad idea.
Read 6 tweets
Matt Johansen Profile picture
Mar 18
90-second incident response primer: (Long 🧵)

1. Have a solid incident response plan in place before an incident occurs. This will save you valuable time - and give a foundation to your response team.
2.Quickly identify and isolate the affected systems or accounts to contain the damage and prevent the spread of the attack.

3. Gather as much information as possible about the incident to determine the nature and scope of the attack.
4. Prioritize your response efforts based on the severity of the attack and the criticality of the affected systems.

5. Identify and remediate the root cause of the incident to prevent similar attacks from being successful. (Especially immediate recompromise)
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(