CVE-2024-54916
📋 TL;DR
This vulnerability in Telegram Android allows a physically proximate attacker to bypass the app's passcode authentication and gain unauthorized access to the user's Telegram account and data. It affects users of Telegram Android version 11.7.0 who have passcode protection enabled. The attacker needs physical access to the unlocked device.
💻 Affected Systems
- Telegram Android
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with brief physical access to an unlocked device can bypass Telegram's passcode protection, access private messages, media, contacts, and potentially escalate to other device privileges.
Likely Case
Someone with temporary physical access to a victim's unlocked phone (e.g., colleague, family member) bypasses Telegram passcode to read private conversations and access sensitive data.
If Mitigated
With proper physical security controls and device locking, the risk is significantly reduced as the attacker needs both physical access and an unlocked device.
🎯 Exploit Status
Exploit requires physical access to an unlocked Android device and manipulation of the SharedConfig class. Public proof-of-concept code is available on GitHub.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.7.1 and later
Vendor Advisory: https://telegram.org/blog/
Restart Required: No
Instructions:
1. Open Google Play Store 2. Search for Telegram 3. Update to version 11.7.1 or later 4. No restart required, but close and reopen Telegram app
🔧 Temporary Workarounds
Disable Telegram Passcode
androidTemporarily disable passcode protection in Telegram settings until patched
Open Telegram > Settings > Privacy and Security > Passcode Lock > Turn Off
Enable Device Screen Lock
androidEnsure device has strong screen lock (PIN/pattern/password) to prevent physical access
Settings > Security > Screen lock > Set strong PIN/password
🧯 If You Can't Patch
- Disable Telegram passcode protection in app settings
- Implement strict physical security controls for mobile devices
🔍 How to Verify
Check if Vulnerable:
Check Telegram version in app: Settings > (scroll down) > Telegram Version. If version is exactly 11.7.0 and passcode is enabled, you are vulnerable.Check Version:
Open Telegram > Settings > (scroll down) > Telegram VersionVerify Fix Applied:
Update Telegram via Play Store, then verify version is 11.7.1 or higher in Settings > Telegram Version.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to Telegram app without passcode entry
- Multiple failed passcode attempts followed by successful access
Network Indicators:
- None - this is a local authentication bypass
SIEM Query:
Not applicable for local device authentication bypass