Telegram addresses camera exploit, points to Apple macOS security permissions

5



Messaging application Telegram has played down the severity of a discovered exploit that allowed researchers to gain access to camera systems of Apple macOS users. 

Software engineer Dan Revah flagged the exploit in a blog post on May 15, outlining the method allowing him to gain local privilege escalation to access a macOS user’s camera through permissions previously granted to an installed Telegram application.

By injecting a dynamic library into a user’s system, the exploit would allow recording from the device’s camera and the ability to save the file. Revah also claims that the exploit allows an attacker to bypass the sandbox of the terminal using a launch agent. An attacker could also gain more privileges to the system by accessing privacy-restricted areas.

Related: TON Telegram integration highlights synergy of blockchain community

Cointelegraph reached out to Telegram to confirm whether its team had addressed concerns raised by Revah and to ascertain the severity of the identified exploit. Telegram spokesperson Remi Vaughn said that Telegram users are not at risk by default, with the exploit requiring malware to be installed on their systems:

“This situation has more to do with Apple’s permission security than it does with Telegram and can potentially affect any macOS app as a result. The real issue is that it seems to be possible to bypass Apple’s sandbox restrictions that were created specifically to prevent such abuse of third-party apps.”

Vaughn said that Telegram had executed changes that received approval from the Apple App Store late on May 16. He also added that users that downloaded the Telegram app directly from the messaging application’s website were not at risk.

Cointelegraph has reached out to Apple for an official comment regarding the exploit.

Telegram released an update in December 2022, enabling users to create accounts using blockchain-based anonymous numbers to increase privacy and security.

The feature requires users to purchase blockchain-powered anonymous numbers from the decentralized auction platform Fragment. User names and anonymous numbers sold on the platform are only compatible with Telegram, and are bought and sold using the app’s native The Open Network (TON) tokens.

In November 2022, Telegram founder Pavel Durov indicated that the platform would be building a host of decentralized tools and services following the collapse of Sam Bankman-Fried’s FTX cryptocurrency exchange.

Magazine: Ordinals turned Bitcoin into a worse version of Ethereum: Can we fix it?