Telegram bot API flaw gives threat actors command & control

News by Davey Winder

Research from Forcepoint Security Labs has revealed that the Telegram encrypted messaging service isn't quite as secure as users might like to think.

Research from Forcepoint Security Labs has revealed that the Telegram encrypted messaging service isn't quite as secure as users might like to think. The researchers found that Telegram could easily be used as a malware Command and Control (C2) infrastructure. While not all Telegram users will be impacted by this news, a sub-set certainly will.

The Forcepoint researchers were investigating the GoodSender malware when they came across what they call "a significant flaw" in the way that Telegram handles messages that are sent through the Telegram Bot API. Telegram is advertised as being a secure messaging application, and this is helped by the fact that it uses encryption with somewhat higher assurances than TLS.

Or at least it does during normal chat messaging. However, when it comes to bot communications the data is encrypted in transit using a bog-standard HTTPS layer. Which means, the researchers say, any and all historic bot messages can be "replayed by an adversary capable of intercepting and decrypting HTTPS traffic." In other words, a man-in-the-middle actor could gain access to the bot token and chat_id. As bots often share chat sessions with humans, this means that chats between real people are also at risk.

Although Luke Somerville, head of special investigations at Forcepoint, told SC Media UK that the risk to enterprises should be fairly low, though he did warn that: "Businesses clearly do use Telegram and if developers operate a bot like this in a channel where they discuss technical issues or post code, IP could be at risk."

Indeed, this was confirmed by Ed Williams, director EMEA of SpiderLabs at Trustwave, who told SC Media UK that he knows from personal experience: "There are some instances when these ‘secure’ applications are useful in an enterprise environment." He gave the example of performing a red team engagement, and liaising with a dedicated point of contact, where he wouldn’t want to communicate over email as the blue team could potentially have access to mailboxes. "We need another secure method of communication and these fit the bill perfectly," Williams explained, adding: "I wouldn’t expect these methods of communication to overtake traditional mechanisms in the near term, but they have their place for sure in a modern environment."

Jake Moore, a cyber-security expert at ESET UK, reckons that while this isn’t the first time these sorts of secure messaging apps have been used as malware control channels: "Messaging via smartphones rather than using the desktop application will mitigate this particular vulnerability due to the more secure nature of smartphones." Morten Brøgger, CEO of end-to-end encryption platform Wire, disagrees. "Messages are not truly end-to-end encrypted because if the receiver of a message is offline, the message does not get encrypted," he said, continuing: "Neither Signal or Telegram are designed for enterprise and therefore are not suitable for business use."

John Safa, founder of Pushfor, agrees. In conversation with SC Media UK, Safa said that apps like Telegram and Signal should not be used by the enterprise at all as they are run from servers not controlled by enterprise clients. "The client should have full control on this server of where and how it runs," Safa insisted, adding: "Both apps focus on end-to-end encryption but the biggest threat is who the message is sent to." Unsurprisingly, Safa recommends using a secure content delivery such as his own as this not only gives enterprise clients full control of where the data is stored but also: "The content is never stored on a recipient device so protecting content from leakage be that by a human or bot actor."

As for mitigating against the risk of this kind of exploit for those who do want to stick with Telegram, Somerville advises that: "Users concerned by this should avoid using Telegram bots as well as avoiding channels and groups in which a bot is present," concluding: "With regards to the GoodSender malware (or indeed any other malware using Telegram bots as a C2 mechanism) we recommend, as always, that users ensure they have robust malware protection in place..."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews