Chaining Telegram bugs to steal session-related files.
We will discuss the chaining of two bugs on the telegram android application, which can make malicious applications steal internal telegram files, including the session.
Almost all messengers have an activity that can receive any type of content like images, videos, text, etc.. and forward that content to chat or a thread on the application.
For example, Open the gallery on your phone, select a photo, click on “Share it” or “Open With”, you will see a popup with some of the applications on your device, those applications appears because all of them have a sharing activity that can receive images, exactly like a telegram:
As we can see in
<intent-filter>, LaunchActivity in telegram can handle data with mimeType:
Turn feature into security bug
Before diving into how this feature can go on the wrong way, we have to figure out the intent that is being sent when sharing an image to the application or what happens on your gallery application when you chose to share an image, here is an example for that intent:
The above code shows you what exactly is being sent to any share activity, it sends the
Uri of the file, but not the file content, and when
LaunchActivity in telegram receives that
Uri the file will be opened in the telegram’s context and will show the user a chats list activity to let the user select a chat to send the file to.
Now, It is a nice idea to trick the telegram application, and instead of send a
Uri of file in the sd card, we will send a path of an internal file on telegram.
Can you bypass?
the above code, orders the telegram application to share
/data/data/org.telegram.messenger/shared_prefs/userconfing.xml file to chat, but when running this code, telegram shows a toast with a message:
it seems I’m that telegram check if the
Uri refers to internal file by
I was trying to bypass this method for a week, without any result. Hmmm, sit back to see the big picture and relax, we don’t have to bypass that method to complete the attack!
How telegram actually opens the file from the
Uri we sent? actually, after the
isInternalUri method it will forward to
copyFileToCache method, its name is clear, it will copy the file to the cache, but how?
It opens the
openInputStream, and it means that it can open
Uri refers to provider, it gives us an option to send provider
Uri instead of file scheme
I checked the telegram providers and found a provider that can refer to an internal telegram file and pass the
openFile method in the provider takes the file path from
final_path parameter and returns
ParcelFileDescriptor of that file.
the following Provider Uri
content://org.telegram.messenger.notification_image_provider/msg_media_raw/1/test.txt?final_path=/data/data/org.telegram.messenger/shared_prefs/userconfing.xml refers to
And it passes the
The above code will force the telegram to open an internal file and share it to a chat, but to which chat? It still requires a heavy interaction which forces the user to select the attacker chat. Impossible.
New feature, bad implementation.
ChooserTargetService is a new feature that came to Android API 7 years ago. In the popup that shows you all applications you can send your file to, something new came to that list which is a list of specific people on the. specific applications, you can send them the file directly by clicking on their pictures.
To implement this feature in your application, you will implement a new service that extends
ChooserTargetService and it will be used to tell the os about the items or people to list on that popup:
And In the Sharing activity you will have to handle a new extra, and this extra will be that chat id or thread id to send the content directly to it.
But this implementation lacks security. How the
SharingActivity knows if the direct share intent was populated or not? If any application sends a sharing intent to the activity and set the extra that carries the target chat id to any chat id, the application will send the file directly to that chat without user interaction!
Telegram had the same issue, by sending
dialogId extra with any chat id to the telegram application, it will send the message or file direct to that chat without any more user interaction.
The above code will exploit the two bugs and send
/data/data/org.telegram.messenger/shared_prefs/userconfing.xml file to
100000000 chat id directly without user-interaction, to reproduce the full exploit, downgrade your telegram to 5.4.0.
See you on new write-up Soon!