Skip to content
Telegram (v4.9.155353) was rendering file:// links + opening them via -> code execution.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
exploit.html feat: initial commit Dec 8, 2019 fix: markdown styling Dec 8, 2019


In Telegram for macOS v4.9.155353 (and below) URL parsing logic in Telegram for macOS platform allows running arbitrary executables and applications URI schemes via links injected into the website's preview.


  1. Send a link to exploit.html - a regular HTML file with <meta property="og:title" content="file:// ssh://" /> tag
  2. Website preview renders file:// and ssh:// as links
  3. Click on the rendered links behaves as util -> if points to executable -> code execution.
  4. Click on ssh:// link -> popups with an active ssh session disclosing user's OS username, ip and other details.


The bug could be used...

  • to disclose info about user's machine -> OS username, IP, etc
  • to run arbitrary executables and opening arbitrary files on OS
  • to launch arbitrary applications via URI schemes

This bug could be chained with Quarantine issue to open downloaded quarantine-ignored files and chain this into running of attacker-supplied executable.

Additional Details

This bug also exists in iOS, PoC is the same. Impact possibly limited to URI schemes.

PoC URL ->

You can’t perform that action at this time.