Login Sign Up

CVE-2019-10044

8.8 HIGH

📋 TL;DR

This vulnerability allows attackers to create deceptive URLs using Internationalized Domain Name (IDN) homograph characters that appear identical to legitimate domains, enabling phishing attacks. It affects Telegram Desktop on Windows before version 1.5.12 and Telegram applications for Android, iOS, and Linux, potentially tricking users into clicking malicious links.

💻 Affected Systems

Products:
  • Telegram Desktop
  • Telegram for Android
  • Telegram for iOS
  • Telegram for Linux
Versions: Versions before 1.5.12
Operating Systems: Windows, Android, iOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability occurs when displaying URLs with mixed Latin and Cyrillic characters in fonts that render them identically, affecting all default configurations.

📦 What is this software?

Telegram by Telegram

View all CVEs affecting Telegram →

Telegram Desktop by Telegram

View all CVEs affecting Telegram Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users could be redirected to malicious websites that steal credentials, install malware, or compromise personal data, leading to account takeover or financial loss.

🟠

Likely Case

Phishing attacks where users inadvertently click on spoofed URLs, resulting in credential harvesting or exposure to scams.

🟢

If Mitigated

If users are trained to verify URLs and applications are patched, the risk is reduced to minimal, with only low-impact incidents possible.

🌐 Internet-Facing: HIGH, as this targets applications that handle user-generated content from the internet, making it easy for attackers to distribute malicious links.
🏢 Internal Only: LOW, since the exploit relies on external phishing attempts and does not directly target internal network systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation involves crafting URLs with homograph characters, which is straightforward and does not require authentication, making it accessible to attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.12 or later

Vendor Advisory: https://github.com/blazeinfosec/advisories/blob/master/telegram-advisory.txt

Restart Required: Yes

Instructions:

1. Open the Telegram application. 2. Check for updates in settings or app store. 3. Install version 1.5.12 or higher. 4. Restart the application to apply the patch.

🔧 Temporary Workarounds

Disable automatic link detection

all

Prevents URLs from being automatically clickable in messages, reducing the risk of accidental clicks on malicious links.

Not applicable; configure in app settings under Privacy or Security options.

Use browser extensions for URL verification

all

Install extensions that highlight or warn about IDN homograph attacks when browsing.

Install from browser extension stores (e.g., Chrome Web Store).

🧯 If You Can't Patch

  • Educate users to manually inspect URLs before clicking, especially for suspicious domains.
  • Implement network filtering to block known malicious domains associated with homograph attacks.

🔍 How to Verify

Check if Vulnerable:

Check the application version in settings; if it is below 1.5.12, it is vulnerable.

Check Version:

On Telegram Desktop: Go to Settings > About; on mobile: Settings > Version.

Verify Fix Applied:

Confirm the application version is 1.5.12 or higher after updating.

📡 Detection & Monitoring

Log Indicators:

  • Look for logs of users clicking on URLs with mixed character sets or domains flagged as suspicious.

Network Indicators:

  • Monitor for connections to domains with homograph characters or known phishing sites.

SIEM Query:

Example: 'url:*cyrillic* OR url:*homograph*' to detect potential malicious links in logs.

📊 Metadata

CVE ID: CVE-2019-10044
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: March 25, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON