A vulnerability discovered in Telegram's macOS app

An engineer at Google has found a vulnerability in Telegram's macOS application that can grant access to a user's camera and microphone.

The issue, which was discovered in February, is related to macOS's Transparency, Consent, and Control mechanism, which manages access to privacy-protected areas on the operating system.

The vulnerability is due to a loophole in the way Entitlements and Hardened Runtime work on macOS, which can potentially make macOS apps more vulnerable to exploitation.

iOS requires an app to be signed with Hardened Runtime entitlement to be uploaded to the App Store and macOS doesn't have this requirement.

The researchers successfully demonstrated how a dylib (Dynamic Library) injection could bypass Telegram's security measures, raising concerns about the app's security.

To demonstrate, the researchers created a dylib in Objective-C that captures video from the camera and saves the recording to a file. It was successfully loaded into the Telegram app, bypassing the hardened runtime restrictions

The issue is described in a Twitter thread by Matt Johansen:

UPD

A Telegram representative exclusively confirmed to our colleagues at @d_code that the alleged vulnerability in question 'does not put users at risk by default'. In order for the situation described by the researcher to occur, malware must have been installed on the user's system.

"This situation has more to do with Apple's permission security than it does with Telegram and can potentially affect any macOS app as a result. The real issue is that it seems to be possible to bypass Apple’s sandbox restrictions that were created specifically to prevent such abuse of third-party apps," said the representative.

"Still, Telegram has made the changes it could do on its side – and the update is available in the App Store. Those who use the app downloaded from our site were never at risk at all," added the messenger representative.