CVE-2023-26818

Vulnerability

Telegram versions 9.3.1 and 9.4.0 for macOS contain a vulnerability where the DYLD_INSERT_LIBRARIES environment variable is not sanitized, allowing an attacker to inject arbitrary dynamic libraries into the Telegram process [1]. This issue exists because Telegram does not restrict the use of this variable, enabling code execution with the app's own entitlements [1].

Exploitation

To exploit, an attacker must have local access to the target macOS system and be able to set environment variables for the Telegram process. The attacker crafts a malicious dylib that, when loaded by Telegram, can invoke TCC-protected APIs (e.g., camera, microphone) using the permissions already granted to Telegram [1]. This can be achieved via a LaunchAgent or by manipulating the app launch environment, no user interaction beyond launching Telegram is required [1].

Impact

Successful exploitation allows the attacker to bypass macOS Transparency, Consent, and Control (TCC) framework restrictions and access the microphone, camera, or restricted files that Telegram has permission to use [1]. The attacker gains the same privacy-sensitive access as Telegram itself, leading to unauthorized audio/video recording and file access [1].

Mitigation

As of the disclosure date (2023-05-15), Telegram has not released a patch for this vulnerability despite prior notification [1]. Users should monitor for updates from Telegram; until a fix is available, avoiding running Telegram with untrusted environment variables or restricting the app's permissions in System Preferences may reduce risk [1].