-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathTelegram:CVE-2020-10570
49 lines (35 loc) · 1.57 KB
/
Telegram:CVE-2020-10570
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Hi World,
Please refer poc for my discovered CVE-2020-10570 in Telegram android version 5.12 & earlier.
[ Description]
The Telegram application through 5.12 for Android, when Show Popup is enabled, might allow physically proximate attackers
to bypass intended restrictions on message reading and message replying. This might be interpreted as a bypass of the passcode feature.
------------------------------------------
[VulnerabilityType Other]
Passcode feature fails to preserve user's privacy due to conflict with popup notification feature
------------------------------------------
[Vendor of Product]
Telegram android application
------------------------------------------
[Affected Product Code Base]
Telegram android - 5.12 and earlier
------------------------------------------
[Affected Component]
Affected Telegram android version 5.12 & earlier
------------------------------------------
[Attack Type Other]
Passcode bypass due to "popup" notification feature
------------------------------------------
[Impact Informahttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10570tion Disclosure]
true
[Reference]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10570
https://vuldb.com/?id.152183
[Timelines]
1. Report to telegram on 10 October, 2019
2. Initial acknowledgement received from vendor on Nov 19, 2019
3. Send the confirmation showing existence of vulnerability Nov 19, 2019
4. Vendor patched Vulnerability in 5.13 version & acknowledged on 31 Dec, 2019
5. Bounty received on 14 jan, 2020
Regards,
Vijay Tikudave
https://in.linkedin.com/in/vijay-tikudave