Telegram For Mac Malware Can Access Your Camera And Microphone; New Update Released
iOS VPN App
- The problem in Telegram messenger’s macOS app was discovered in February
- The vulnerability made it possible for malware to access a device’s camera and microphone
- Telegram said the desktop app that can be downloaded through its website does not have this issue
Telegram messenger has fixed a security issue that was detected in its macOS app available via the App Store.
The detected vulnerability made it possible for malware to access a device’s camera and microphone, Meduza reported.
Telegram said in a tweet Tuesday that it has already eliminated the weakness in a new update of the app it just submitted to Apple.
The desktop app that can be downloaded through Telegram’s website does not have this issue, the company said.
The problem was first revealed Monday in a blog post by software engineer Dan Revah.
“[U]sing a vulnerability of a third-party application can grant us additional permissions and allow us to bypass Apple’s privacy mechanism,” his report said.
Matt Johansen, who describes himself as a computer security veteran who has worked with startups and “the biggest financial companies in the world,” broke down the issue in a Twitter thread. He tweeted that the weakness in the Telegram macOS app was first discovered in February.
“The weakness involves macOS’s Transparency, Consent, and Control (TCC) mechanism. This mechanism manages access to ‘privacy-protected’ areas in macOS, which Telegram’s vulnerability can exploit,” Johansen said.
He said that macOS Root users can never access the microphone and screen recording unless the app has “direct user consent or manually granted permissions.”
However, the vulnerability in Telegram’s macOS app was able to “sidestep” this security measure, which, according to Johansen, comes down to “Entitlements and Hardened Runtime.”
Entitlements are the permissions given to a “binary” in order to access privileges in the device like access to the microphone and camera. On the other hand, Hardened Runtime is the one that prevents exploits.
“iOS requires an app to be signed with Hardened Runtime entitlement to be uploaded to the App Store. macOS doesn’t have this requirement. This loophole can potentially leave macOS apps more vulnerable,”…