Blockchain security startup CertiK recently raised concerns about the security risks associated with using Telegram’s desktop application due to a potential vulnerability in the media auto-download feature. However, Telegram has refuted these claims and challenged the alleged high-risk vulnerability identified by CertiK.
According to CertiK, there is a possible risk of a remote code execution (RCE) attack through images and videos sent on Telegram’s private messaging app. Users were advised to disable automatic download settings as a precautionary measure. However, CertiK did not provide detailed information on how they discovered this vulnerability.
In response to CertiK’s claim, Telegram stated that there have been no reported cases of RCE attacks leading to crypto wallet hacks among its 800 million users worldwide. The platform dismissed the notion that users are at risk if they have automatic media downloads enabled.
Following the controversy, crypto.news reached out to Polyzoa founder Kirill Tiufanov for his expert opinion on the RCE attack vector highlighted by CertiK. Tiufanov, a seasoned web3 security expert, expressed skepticism about the vulnerability, citing the lack of technical details provided by CertiK.
While the debate continues, CertiK recommends that users disable automatic media downloads on the Telegram desktop application to enhance security. Despite this potential vulnerability, Telegram remains a popular choice for blockchain enthusiasts due to its support for crypto-related features like BonkBot and wallets while ensuring security.
Although Telegram does not directly support cryptocurrencies, it serves as a gateway for users and merchants to send and receive digital asset payments. Projects like Grindery, backed by Binance Labs, have utilized account abstraction smart contracts to facilitate one-click transactions on the platform. Additionally, Telegram has introduced a revenue-sharing system supported by its parent company’s Toncoin, offering users incentives for displaying ads on channels.