Forcepoint exposes security flaw in bots on Telegram

The bots of Telegram, the messaging service for sending encrypted messages, can be abused as infrastructure for malware. The vulnerability was discovered by Forcepoint Security Labs, which specializes in security software.

Forcepoint discovered that the bots on Telegram do not use the same advanced encryption algorithm as the regular communication via the service, making it easier for attackers to intercept messages. Telegram uses its proprietary MTProto encryption for messages, but for bot traffic, the service simply relies on https.

According to the researchers, this problem undermines the security of the entire chat app. Telegram bots are integrated programs that automatically perform certain tasks in chats or public channels. For example, there are bots that offer other keyboards, generate memes or even accept payments.

“During our investigation of certain malware, we discovered a serious flaw in the way Telegram handles messages sent through its Bot API,” said Forcepoint. Telegram’s Bot API allows hackers to use the messaging service as a command and control channel for malware, according to the company. More specifically, it concerns the malware known as GoodSender. When activated, the malware creates a new administrator user and enables remote desktop. To be able to exploit the vulnerability, a so-called man in the middle attack is required. The attacker intercepts a token that is sent in all bot messages and a chat_id, which can be found in api requests from bots.