Kaspersky Says Telegram Flaw Used For Cryptocurrency Mining

According to Kaspersky Lab, hackers have been exploiting a vulnerability in Telegram's desktop client to mine cryptocurrencies such as Monero and ZCash. "Kaspersky said on its website that users were tricked into downloading malicious software onto their computers that used their processing power to mine currency, or serve as a backdoor for attackers to remotely control a machine," reports Bloomberg. From the report: While analyzing the servers of malicious actors, Kaspersky researchers also found archives containing a cache of Telegram data that had been stolen from victims. The Russian security firm said it "reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in messenger's products."

Re:

[tripleevenfall]

Er... they already are tantamount to gambling in the eyes of the Average Joe

So are stocks, bonds, and commodities.

[Ungrounded Lightning]

Er... [crypto-currency coins are] already are tantamount to gambling in the eyes of the Average Joe

So are the stocks, bonds, and (other) commodities. So is insurance. So what?

Sweet

[dohzer]

Sweet! What's Telegram?

Re:

[drinkypoo]

Sweet! What's Telegram?

Same problem here. I thought they must be referring to a literal telegram. Whoever picked the name "telegram" for their company must have really thought they were slick when they got it, but it only makes them look like a relic from the 1800s.

Re:

[Ungrounded Lightning]

Names of old pantheon gods got used up.
Decent and decently-short acronyms got used up.
Recursive acronyms got used up.
Puns got used up.
We're now stuck with arbitrary word-thing pairing.

We've been there since about the large-scale adoption of linux. Or haven't you noticed the arbitrary naming of major open source applications?

I guess Kaspersky really doesn't care about the US

[guruevi]

If you can backdoor cryptomining into a "secure messaging" service, you can backdoor pretty much everything. I'm sure that any US-based service has similar "bugs". How hard is it to create an application that communicates with a web service without the requirement to run random code? Why is there even a code interpreter in a "secure messaging app"?

Give me my IRC and PGP, at least I can read through and guarantee the code is clear in a matter of hours.

Since when is Telegram a Kaspersky product?

[_merlin]

Kaspersky is disclosing a flaw their security researchers found in Telegram, which is not a Kaspersky product. The Telegram client code is open source, but that apparently hasn't stopped stupidity making it into the desktop client.

Re:

[guruevi]

I wrote my own IRC client on a 80286 running DR-DOS.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[guruevi]

The summary and post it links to implies the Telegram client is executing cryptomining code on its own. Sending a message backwards or forwards is not really an exploit, it's annoying or funny depending on the circumstance. But where is the option to send, link to or execute code?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[guruevi]

It says "Telegram Flaw Used For Cryptocurrency Mining" implies that Telegram has a flaw that allows the clients to mine for cryptocurrency without the users' consent.

Being able to screw around with text and fonts and sending someone a link isn't really an "exploit". There are hundreds of URL shorteners that will do that for you. If the user clicks, downloads and then chmod +x an executable (whatever the Windows equivalent is) then that's a problem with the user.

Re:

[Rockoon]

Alternate question: Why would anyone vote for Trump?

Because the most unelectable politician possible rigged her primary while getting the press to pied piper a gameshow host that was even more unelectable, only to have to murder a big fan of the person she screwed out of the primary because as a party employee he copied the emails from the party email system and gave them to wikileaks, an organization that still has never had to retract anything, delivering proof to the people that she was even worse than they had already thought rigging her primary, gettin

Re:

[AHuxley]

AC to help save computer users from the next Stuxnet, Flame, Equation Group.
https://en.wikipedia.org/wiki/... [wikipedia.org]

GUI-lib developers rarely keep security in mind

[xxxLCxxx]

They may have 'hardened' their cryptographic algorithms, but the problem here is clearly that most GUI-libraries are not. :-(

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[xxxLCxxx]

Yes, but that is a security problem. Sanitize your links and deactivate them, if you must...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[xxxLCxxx]

There's nothing wrong with that feature. If you happen to be left-handed, you might even prefer Arabic. ;-)
If you are receiving an executable that way, there should be a warning. Better even, it should be renamed for safety. Just add an '_disabled_this_executable_' post(/pre)fix. Not everybody is into computers. Most Malware spreads by people downloading and clicking on it. Sometimes this takes out entire hospitals. Therefore, you have to keep this in mind when designing software. You can always have an op

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[xxxLCxxx]

Which is known to not be enough (hospitals down, etc.)...

creepy

[dreamygeek]

This is really becoming a serious concern. We are talking about the bugs that have been discovered. We don't know how many other apps are doing it too silently.