Google engineer Dan Reva discovered in Telegram on macOS vulnerabilitywhich can allow attackers to use the laptop’s camera and microphone.
The vulnerability allows to inject a dynamic library (Dylib) with a malicious exploit into Telegram on macOS.With it, attackers will be able to record video from a camera with sound and save the file to a hidden folder on a Mac.Moreover, video and sound recording will work even if the corresponding permissions are turned off.
Launching an escapit is possible because Telegram does not use Apple’s built-in Hardened Runtime security mechanism.It is just responsible for blocking certain types of exploits.
Reva reported this issue to the Telegram team in February 2022.But the developers did not get in touch and still have not eliminated the vulnerability. [Twitter]