CVE-2024-33905

Vulnerability

CVE-2024-33905 describes a cross-site scripting (XSS) vulnerability in Telegram WebK, the official web client for Telegram. The vulnerability exists in versions prior to 2.0.0 (488) and is located in the way the application handles the postMessage event web_app_open_link. A crafted Telegram Mini Web App is able to exploit this flaw to inject malicious scripts.

Exploitation

To exploit the vulnerability, an attacker would create or use a malicious Telegram Mini App that sends a specifically crafted postMessage with the web_app_open_link event type. When the victim interacts with this Mini App (a one-click interaction is mentioned in the advisory), the Telegram WebK client's window.open call is triggered with an attacker-controlled URL without proper sanitization [2][3]. The fix replaced window.open with safeWindowOpen, which validates or sanitizes the URL before opening it [3].

Impact

Successful exploitation allows an attacker to perform cross-site scripting attacks in the context of the Telegram WebK user's session. This can lead to session hijacking, as the attacker could steal authentication tokens or perform actions on behalf of the victim [1][2]. The overall impact is considered medium severity (CVSS 4.6).

Mitigation

The vulnerability was reported on March 9, 2024, and fixed by Telegram in version Telegram WebK 2.0.0 (488) on March 11, 2024 [2]. Users are advised to update their Telegram Web client to the latest version to protect against this attack.