Telegram Remote Code Execution Zero-Day Vulnerability

Calling it &quot;remote code execution&quot; is veeeery clickbait-y. By this logic, any website with download links uses &quot;remote code execution&quot;.<p>Even the source article says just &quot;zero-day&quot;.<p>Also, tldr: Using Unicode Right-To-Left, you can make Telegram show file name &quot;gpj.js&quot; as &quot;sj.jpg&quot;. That&#x27;s all.

This article is atrocious. It has a clear agenda motivating its publication that is simply at odds with facts.<p>1. This is not a vulnerability with Telegram. The headline is deliberate clickbait, and the article’s Telegram-centric presentation doesn’t redeem it.<p>2. This is not a remote code exeution vulnerability, or even a “0-day” (for whatever meaning that term still has...). This vulnerability is a malicious file upload combined with a clever phishing vector.<p>The reporting is <i>exceptionally</i> bad - so much so that it is difficult for me to attribute it to simple ignorance. It is very clearly trying to hit several checkboxes for what is otherwise a non-story:<p>* Telegram<p>* Cybercrime<p>* Cryptocurrencies&#x2F;Mining<p>The entire narrative is carefully constructed with keywords that have no hard relation to the vulnerability <i>whatsoever</i> - it feels like I’m reading a bug bounty report where someone extrapolates a minor endpoint security or phishing vulnerability to whatever they think will get the most attention to the report.<p>Reporting like this almost makes me wish for Gell-Mann Amnesia in my own field.

&quot;Hello! I&#x27;m russian remote code execution vulnerability, please run me and ignore system security warning. Also, you may want to delete your Documents and Settings folder, just press Del button and then Continue&quot;

This should be renamed to &quot;Telegram right to left vulnerability&quot;<p>This is just not an RCE. It&#x27;s just pretty good phishing.

I didn&#x27;t quite understand the &quot;Remote control&quot; scenario; is the victim becoming a telegram bot, where the attacker sends commands to the bot and the bot executes stuff on the victim system?

Mods need to change the title -- this is deliberately dishonest reporting as it stands.