Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp1917093lqa; Tue, 30 Apr 2024 03:16:03 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWRvkp5sYQ+gt5BWiUz3ahNWWQaywKnr3w6fpFNK/azWQlxgKa/1V25e13NXOZUBOemoeDeSJYOCLqhhSGCaodK5xr3Sn4ezLgRsKu6VA== X-Google-Smtp-Source: AGHT+IEOGpD0jrYAuoR2nOd6GyD4Mvt+7TQ3ql5Wo1aeXIIHLF3VAlr/lHkYVnU2lsoTxOeXgSoP X-Received: by 2002:a50:cd46:0:b0:572:315a:b2d3 with SMTP id d6-20020a50cd46000000b00572315ab2d3mr8275483edj.15.1714472162935; Tue, 30 Apr 2024 03:16:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714472162; cv=none; d=google.com; s=arc-20160816; b=Z72z5+SSZxyzWB34GAe+lxPwk+MvDetoVHV6c3dmjqOkVFG4wC6JyFqZylqdjSAllv oKTJE1OlBiS9a+1NfVCp2At+hzLptgiTfBV2V73DTbhSau1/ql6hGR8+iY/JTZE7Plss /zzVAoI7PFvbpGt1FjMQevxnhFApaVUz3NAld+Sxsbmo2Ch0ZwbrgctGOSRBzzKnTa8z QlzDDH6QDyjExrmTyMWBEDxQ8bP1XuhLFehGXoNNVuOoZLOP8B7AC0abhNcPNY8Yvme8 gzs8nrYMnWwT8iX5qaMSVuEI5SQg/vrRxxoHU8A2xO+jK2/dh5G+uwbE0RFbYH/ddzcW 9vfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:to:message-id:date:from:in-reply-to:references:mime-version :dkim-signature:delivered-to:delivered-to:reply-to:list-id :list-subscribe:list-unsubscribe:list-help:list-post:precedence :mailing-list; bh=8MB6Q8uJujHonIOWWY1bFVT/5MMhBFSKwbzvUBqDjHo=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=cMu0/v7+1JttMJ5pdr6srZkEWRlSyF/6Xuy9cmTBRKCN/g1+pLoNeRJHEibRoRjg+t VhNpd4TfVicBX00E4Xj2k842jTopVU5AKhM+dRl8/4zrjuoIn/mJLutCZgLcCbZFPbXU H6832Rdqfj/7Wim0jHISRD+ASdxABLXGpb+XPpHbFBvtAVQ4dl9VfoVc4mpG/9hAy5uC AyFLatpllJGwHUoOAumcLtUDoDT1/Nw2nrcO/OdYl1VGKqDDmFQj8fpZQwocJuVs8ZOZ ZCF5zXUndRVHoIdfiy181/hsFNxsY3pMnX50Ro/OOMCx7wcIV6p3VRugh1MjypIvziUT V11w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=KtkgtTzs; spf=pass (google.com: domain of oss-security-return-30102-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30102-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id 5-20020a508e45000000b0057225514726si8429571edx.223.2024.04.30.03.16.02 for ; Tue, 30 Apr 2024 03:16:02 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30102-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=KtkgtTzs; spf=pass (google.com: domain of oss-security-return-30102-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30102-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (qmail 22523 invoked by uid 550); 30 Apr 2024 10:14:14 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 14015 invoked from network); 30 Apr 2024 09:30:30 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1714469421; x=1715074221; darn=lists.openwall.com; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=H9chNwYP8QLlBwFOFEElq/CGUpdR0F3PakX9DJ5RpZI=; b=KtkgtTzsEk0RwW3W5nUwWb9HLKv++hIxIUMiRBJMG9SstLf4+4LGkOuZtIgzry7KMT k0jBwozviQc6rA8wZJmzq6ZcUx0vo4IUfMNDZsJL+9CESCqdk/M3NYrSjtmEy5Eqz1Pq lCGJKTXVuG4uVVNjTtKa6YUBisU7/km9mTTPu4r+txe4UKY1q7l9sEBRxeC5Hn7qz4wm NrmF+ITAtYrvj7yjScdGyF2Z+zauPr9DFbeu//mbWHi6ESmLFDYy7Ibc+mM+RUOhahkn Sr74+aTNfmaL7gSVUY+bDLg+TLPY85OK/PsknRbDN+aeWfdXgZ9YCaxMtmVVQJ3qn+XO LcLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714469421; x=1715074221; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=H9chNwYP8QLlBwFOFEElq/CGUpdR0F3PakX9DJ5RpZI=; b=mADlc/TEnivLBkV3fowbb1TEiq0LVm0o/sJWgTabVukbcwxU1W+ZGqBFEq2cs36h4t gpNr7E/MAYs9tZnb/TUrdqwxEoXbWlswJPlCgLTDeXjOxt1Gxwldy8CxnZ0zZ69wX7te ftW90pKkLmpMKcVYgopbdRF55i5FlrzMMXlgwp0/Ueah2ML1T/5j1bshPX6ybmOJXZJJ t/7dU0740HdYqoLDC78q7QniLb0+APx0pzb+m6Ph444xyiMbtGS/BVgaARMAgWZEzXmB 9GNFvY9IWYFUuh84CnaY8c95gNqN8H96Mna4+GbApjKLtpeeW+qy5rRN7/NI4AfPQLe+ CEmw== X-Gm-Message-State: AOJu0Yy67/VojF1vqV0mKQEnpfavS2/P6wk3tXOw0Zcp8+gc4BdPBjfK /JTKNVnQCcfDthkvTrLqbgiaHPWMbbmgEjyqzsE77uQcpHbqSsIKGHaKYCA16xwITF33Qjo4cqY 1scnBsn2S33oXjCelgN0OEKd9wazdpr9T X-Received: by 2002:a17:907:987:b0:a58:c09d:199d with SMTP id bf7-20020a170907098700b00a58c09d199dmr10332897ejc.73.1714469420810; Tue, 30 Apr 2024 02:30:20 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Pedro Batista Date: Tue, 30 Apr 2024 11:30:09 +0200 Message-ID: To: oss-security@lists.openwall.com Content-Type: multipart/alternative; boundary="000000000000ce490006174d049d" Subject: [oss-security] Re: Telegram Web app XSS / Session Hijacking 1-click --000000000000ce490006174d049d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable CVE-2024-33905 On Sun, Apr 28, 2024 at 5:59=E2=80=AFPM Pedro Batista = wrote: > Hi oss-security, > I would like to share a vulnerability I reported on Telegram Web > application which is Open Source (https://github.com/morethanwords/tweb). > The vulnerability is a XSS that can be exploited to achieve session > hijacking with 1-click using Telegram Mini Apps. > > I reported the vulnerability on March 9th, 2024 and Telegram promptly > fixed it on March 11th, 2024. > > # Vulnerable version: Telegram WebK 2.0.0 (486) and below > # Fixed version: Telegram WebK 2.0.0 (488) > > # Attack Surface > ## Telegram Mini Apps > =E2=80=9CTelegram Mini Apps are essentially web applications that you can= run > directly within the Telegram messenger interface. Mini Apps support > seamless authorization, integrated crypto and fiat payments (via Google P= ay > and Apple Pay), tailored push notifications, and more.=E2=80=9D > > > https://core.telegram.org/bots/webapps > > https://ton.org/mini-apps > > Is important to highlight that this feature is heavily used for crypto > payments in the TON Blockchain. > > # Static Analysis > A cached version of the vulnerable file can be found here: > - https://web.telegram.org/k/appDialogsManager-aLs9GOvc.js > > ``` > telegramWebView.addMultipleEventsListeners({ > // [...] > web_app_open_link:({url:t})=3D>{window.open(t,"_blank")} > } > ``` > The vulnerability was triggered with `postMessage` communication by > abusing the event `web_app_open_link` which allowed a new URL to remain > with the javascript context of the parent window using the `javascript:` > scheme as XSS payload. > > # Weaponized Setup > 1. Attacker creates a Bot + Mini App > 2. Sets the URL of the Mini App =3D> https://evil.com/homepage.html > 3. The exploit will be hosted in the homepage of the attacker=E2=80=99s s= ite > 3.1. homepage.html > ``` > > > > ``` > > # Telegram Patch Commit > > https://github.com/morethanwords/tweb/commit/2153ea9878668769faac8dd5931b= 7e0b96a9f129/src/components/popups/webApp.ts > > ``` > export default function > safeWindowOpen(url: string) { > window.open(url, '_blank', 'noreferrer'); > } > ``` > > # Demo > I have published a writeup for this finding which includes the Exploit > Demo, it's available here: > > > https://medium.com/@pedbap/telegram-web-app-xss-session-hijacking-1-click= -95acccdc8d90 > > I recently requested a CVE for this vulnerability as well, looking forwar= d > to updating the thread as soon as it is issued. > > Thanks for looking into my report. > > Best regards, > Pedro Baptista > --000000000000ce490006174d049d--