Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp906856lqa; Sun, 28 Apr 2024 09:18:06 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWRKU3rgEi3ZzEq5OzIbDLB1yihAAsY4KEBi07o5hJtV1n47nagkEXYKbcgyEL2NgB4jOVw+IEuSynPHDJ+yt8Lw4OmbWNoM7NeCx6FLQ== X-Google-Smtp-Source: AGHT+IE6RPSN4YMpI6c4YaMXuPixZ+jB8+DsvdQU59dEHkrygm3aSDHmGYUZj0G/1ppKxnOpfOht X-Received: by 2002:a50:ccc7:0:b0:572:475c:a38e with SMTP id b7-20020a50ccc7000000b00572475ca38emr6489760edj.19.1714321086565; Sun, 28 Apr 2024 09:18:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714321086; cv=none; d=google.com; s=arc-20160816; b=XepsbSmTnzN78KgQGT7csZFA70P6gR49d7ztuEfe3bQkfq1mdoEQco4WxIfY330Q1s dJwL25ePR+hLDXlKm0h5td78q9OxFQM0Ai/9zUyUQxFA0gUiJu/Uac1Sjw/GajbE61t1 7uGlmiX1gZiFFA4aGcB4E/Pr1kc19kCBumJtsNTLE6Z1W9JgcfudGIbp2qJXGh+oYDgl kra00uBpuz3SHoET6j4fMYbdL7HePE7HSuOXFWZ4llK+lY9nN/WMfZ0+er1z5Ab8AplV e5a1GBFjGDvqidqJdLjI1DgLVMslaHUYbh4Pe5XvzzZoaVLeqqAGi+CT9Qe4wYpHFbEk QKYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:to:message-id:date:from:mime-version:dkim-signature :delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=rWlXemxCIM671jZ6sCHzYOjzcqwaIVaV287LK0tcffk=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=PuJ3GlVxfuDwqtKVHks3gxgDgVA00W30WXah+MIyZCn0mm2JvLivIqn8qAKcfRkNNt 1dgwUurTJVsHd+JWmCGXMLGuq1YC9INh7Vov5YJy5F4zsFCw7CzaZImzEH9O+aa7tu7t nO0WiQXYpb3F7iE5xQJtU4potjHcnxok14wn5dnxO28MPKYnRedYsTPn7H/9s+hvaSh/ N77j/dfjUdG7KlqwIQr+cy9NA3mQCsSs2y9EKxIIy0yFmPi13pWJCC65dZ24KjWm3V+d rBSQD+2Izdfr23I5wh8NJbqBc9itE4i8z6Zgfto2JFikgUk2QgcySHc8QKYGFJ+3tN1X gUbw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=YSzKX9wz; spf=pass (google.com: domain of oss-security-return-30092-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30092-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id t18-20020a056402021200b0056c53edca63si13375014edv.281.2024.04.28.09.18.06 for ; Sun, 28 Apr 2024 09:18:06 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30092-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=YSzKX9wz; spf=pass (google.com: domain of oss-security-return-30092-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30092-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (qmail 13752 invoked by uid 550); 28 Apr 2024 16:17:52 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 9421 invoked from network); 28 Apr 2024 15:59:53 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1714319984; x=1714924784; darn=lists.openwall.com; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=C1VxEmTPt7QPwXFfODATdhJpOVuJtGsPFm89qCST3hU=; b=YSzKX9wzB88fwCkaiXgfLVB5x3xjrrLONuImH0Wy/5iclzqZ4rKMsjkZBRzx444AKu +gqjAv6i6c1pJsTNtGvQZL+7VPUpm5tGuMKP+vMx6OT8mXRGeqj9tK+W3/qzrKKyFROA Eg958nJD6iX3b3pZUXBFWnKjlVaOnmIp/m1vOul68+4C7nK6ozf6KhcbH546xdGdbrSU Upi+JzC2VhzSrDELZlNBiuvlrgzGxBXINkTPBOf5H0pBsnnBQH94sT6McnPkY71JYtrN 3ALZu6yLvhOzDNGbdNu/XFIXT955dw4sYtSCrs4LcHqZP3Ax6D2Kr/fqNmZ6VDfLQMWW s69Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714319984; x=1714924784; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=C1VxEmTPt7QPwXFfODATdhJpOVuJtGsPFm89qCST3hU=; b=XFFjJeM++RIadRIysPH+n0BLo+TmiDFm/N9K2qrBKX9PvxAbt6Cvn9SvTMq+SBH5KK jlMGfI0cKTtx5SANMoIKibKM0PWfiGo6Weimh+cDxpZQW5DrL3nVYGcJBjs/gpx3yvBq vVHU1tqU1neTzS6gCPXLCmQ/1+3ZvZ9QULgmosW20Iar1af0n+Fozy3IS7WoaRdGOEYS cB2GprXtiJrZJbgm5UOb+b8NouPhZpk5xjk0OCHRUxwoknus7O0wWpHarbL9AZLHAxhL 0iJlDNkexar0FjwDd9SBfkRkh//A4tq++3/bndOSQgm6Ps6V8ZXTmPk9rDVTxcrqjny1 IrWQ== X-Gm-Message-State: AOJu0YxEdZ8Q509kNgt8QDlZ+5PgvSKSddazi1kCuduXRORgBYpTUXN5 PuZxNqHbvVbGw8rzqe/18Xb5E+PMnE/v18mwZ3HoiswfKDlyYcmxMUu3lNqBcDP6bavx0XjBTm1 Ty6trMRnzMdRUWbJ7dveILZn+bTSNdSht X-Received: by 2002:a17:906:459:b0:a58:7ea5:c49b with SMTP id e25-20020a170906045900b00a587ea5c49bmr6697642eja.42.1714319984279; Sun, 28 Apr 2024 08:59:44 -0700 (PDT) MIME-Version: 1.0 From: Pedro Batista Date: Sun, 28 Apr 2024 17:59:34 +0200 Message-ID: To: oss-security@lists.openwall.com Content-Type: multipart/alternative; boundary="000000000000b1ca6106172a3901" Subject: [oss-security] Telegram Web app XSS / Session Hijacking 1-click --000000000000b1ca6106172a3901 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi oss-security, I would like to share a vulnerability I reported on Telegram Web application which is Open Source (https://github.com/morethanwords/tweb). The vulnerability is a XSS that can be exploited to achieve session hijacking with 1-click using Telegram Mini Apps. I reported the vulnerability on March 9th, 2024 and Telegram promptly fixed it on March 11th, 2024. # Vulnerable version: Telegram WebK 2.0.0 (486) and below # Fixed version: Telegram WebK 2.0.0 (488) # Attack Surface ## Telegram Mini Apps =E2=80=9CTelegram Mini Apps are essentially web applications that you can r= un directly within the Telegram messenger interface. Mini Apps support seamless authorization, integrated crypto and fiat payments (via Google Pay and Apple Pay), tailored push notifications, and more.=E2=80=9D > https://core.telegram.org/bots/webapps > https://ton.org/mini-apps Is important to highlight that this feature is heavily used for crypto payments in the TON Blockchain. # Static Analysis A cached version of the vulnerable file can be found here: - https://web.telegram.org/k/appDialogsManager-aLs9GOvc.js ``` telegramWebView.addMultipleEventsListeners({ // [...] web_app_open_link:({url:t})=3D>{window.open(t,"_blank")} } ``` The vulnerability was triggered with `postMessage` communication by abusing the event `web_app_open_link` which allowed a new URL to remain with the javascript context of the parent window using the `javascript:` scheme as XSS payload. # Weaponized Setup 1. Attacker creates a Bot + Mini App 2. Sets the URL of the Mini App =3D> https://evil.com/homepage.html 3. The exploit will be hosted in the homepage of the attacker=E2=80=99s sit= e 3.1. homepage.html ``` ``` # Telegram Patch Commit https://github.com/morethanwords/tweb/commit/2153ea9878668769faac8dd5931b7e= 0b96a9f129/src/components/popups/webApp.ts ``` export default function safeWindowOpen(url: string) { window.open(url, '_blank', 'noreferrer'); } ``` # Demo I have published a writeup for this finding which includes the Exploit Demo, it's available here: https://medium.com/@pedbap/telegram-web-app-xss-session-hijacking-1-click-9= 5acccdc8d90 I recently requested a CVE for this vulnerability as well, looking forward to updating the thread as soon as it is issued. Thanks for looking into my report. Best regards, Pedro Baptista --000000000000b1ca6106172a3901--