#今天又看了啥 #telegram #security #CVE #XSS
Telegram Web app XSS/Session Hijacking 1-click [CVE-2024–33905]
Attack surface: Telegram Mini Apps
“Telegram Mini Apps are essentially web applications that you can run directly within the Telegram messenger interface. Mini Apps support seamless authorization, integrated crypto and fiat payments (via Google Pay and Apple Pay), tailored push notifications, and more.”
This attack surface also affects web3 users because it handles crypto payments through the TON Blockchain.
Telegram fixed the flaw on March 11th, 2024.
Vulnerable version: Telegram WebK 2.0.0 (486) and below
Fixed version: Telegram WebK 2.0.0 (488)
https://medium.com/@pedbap/telegram-web-app-xss-session-hijacking-1-click-95acccdc8d90
Telegram Web app XSS/Session Hijacking 1-click [CVE-2024–33905]
Attack surface: Telegram Mini Apps
“Telegram Mini Apps are essentially web applications that you can run directly within the Telegram messenger interface. Mini Apps support seamless authorization, integrated crypto and fiat payments (via Google Pay and Apple Pay), tailored push notifications, and more.”
This attack surface also affects web3 users because it handles crypto payments through the TON Blockchain.
Telegram fixed the flaw on March 11th, 2024.
Vulnerable version: Telegram WebK 2.0.0 (486) and below
Fixed version: Telegram WebK 2.0.0 (488)
https://medium.com/@pedbap/telegram-web-app-xss-session-hijacking-1-click-95acccdc8d90
Medium
Telegram Web app XSS/Session Hijacking 1-click
This is the technical write up of a severe vulnerability I reported to Telegram’s Bug Bounty program on March 9th, 2024.
Telegram fixed…
Telegram fixed…
