CVE-2020-12474

Vulnerability

Telegram Desktop through 2.0.1, Telegram for Android through 6.0.1, and Telegram for iOS through 6.0.1 fail to properly display internationalized domain names (IDN) in public URLs and group chat invitation URLs. By using Punycode-encoded characters that visually resemble ASCII characters, an attacker can craft a URL that appears to point to a trusted domain (e.g., example.com) while actually directing the browser to a different, attacker-controlled domain [1].

Exploitation

An attacker needs only the ability to post a message containing a crafted URL in a Telegram chat or group, or to create a group invitation link with a Punycode-based domain. No authentication beyond normal chat access is required. When a user clicks the link, the Telegram client renders the URL with the visually identical but fraudulent domain, and the user’s browser or Telegram’s internal browser navigates to the attacker’s site [1].

Impact

Successful exploitation leads to a false sense of trust in the destination domain, enabling phishing, malware distribution, or credential theft. The attacker gains no direct access to Telegram infrastructure, but can leverage the user’s mistaken belief that they are on a legitimate site, resulting in information disclosure or further compromise of the user’s accounts and data [1].

Mitigation

Fixed in Telegram Desktop 2.0.2 and Telegram for Android/iOS 6.0.2. The update enforces display of the Punycode representation for internationalized domain names, preventing the homograph attack. Users should update to the latest version available from official channels [1].