Chaining Telegram bugs to steal session-related files.

Sharing Activity

Almost all messengers have an activity that can receive any type of content like images, videos, text, etc.. and forward that content to chat or a thread on the application.

Turn feature into security bug

Before diving into how this feature can go on the wrong way, we have to figure out the intent that is being sent when sharing an image to the application or what happens on your gallery application when you chose to share an image, here is an example for that intent:

Can you bypass?

New feature, bad implementation.

ChooserTargetService is a new feature that came to Android API 7 years ago. In the popup that shows you all applications you can send your file to, something new came to that list which is a list of specific people on the. specific applications, you can send them the file directly by clicking on their pictures.

Final Exploit

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store