Modern Web Applications nowadays are relaying on a lot of technologies where typical web applications vulnerabilities are hard to find (eg. Clickjacking is an ABC security bug) but bug hunters are always the best!
Let’s know Telegram more, Telegram is a cloud-based instant messaging service. Telegram clients exist for both mobile (Android, iOS, Windows Phone, Ubuntu Touch) and desktop systems (Windows, OS X, Linux). Users can send messages and exchange photos, videos, stickers and files of any type. Telegram also provides optional end-to-end encrypted messaging with self-destruct timers, but these features have been contested by security researchers and cryptography experts.
Telegram is supported by the Russian-born entrepreneur Pavel Durov, who is now a citizen of Saint Kitts and Nevis, travelling the world in self-imposed exile.Its client-side code is open-source software, whereas its server-side code is closed-sourced and proprietary. The service also provides APIs to independent developers.
Telegram was and still a well-known messenger application for it’s strong end-to-end encryption, But how it is useful to have a strong crypto and a weak client!
Let’s tell you our story behind digging into Telegram’s Web Client…
[*] The bug:
0. Telegram web client is not protecting itself from clickjacking with the typical “X-Frame-Options” header but uses a JS frame busting technique to prevent the website to be iframed, By exploiting one of HTML5 Features “Sandboxed Iframes” Iframing Telegram will be possible and we will never redirected to the top window location!
[*] Rolling around the bug:
Telegram is using an additional CSS trick, The main web app style sets the display property with “none” value for the whole HTML Tag which makes the whole view invisible this lowered our attack surface but there’s still hope!
So all what we need now is to block the access of the style file which is responsible for styling the main web app html! Here comes the next part of exploitation!
[*] The Prerequisites:
1. Attacker will MITMing the Local Network and if he was able to Prevent access to this resource/path https://web.telegram.org/css/app.css