Arbitrary Code Execution via InstantView | TeleSec
Telegram Desktop has implemented within the update to version 4.16 the InstantView feature. On a technical level, this implementation involves rendering via a WebView of client-side generated HTML code.
A Stored XSS vulnerability allows the attacker to permanently inject and execute malicious JavaScript code in the Web application page. The victim's browser executes the malicious code each time the victim visits the permanently modified page.
Through an unsanitized input, it was possible to inject JavaScript code into the InstantView, allowing a loss of data confidentiality, such as obtaining the victim's IP address and the ability to execute arbitrary JavaScript code in their browser, which is not permitted by InstantView.
Arbitrary Code Execution is a vulnerability that allows an attacker to execute arbitrary code on the target system. The attacker can execute commands or code with the privileges with which Telegram Desktop was run, thus gaining access to available network and system resources. An attacker with these privileges could cause serious damage to the confidentiality, integrity, and availability of data.
The QDesktopServices::openUrl function allows for the execution of any file on the victim's PC. When combined with the InstantView vulnerability, it is also possible to download files into the download folder and execute them. This can result in a significant loss of confidentiality, integrity, and availability of data.
