Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Bitcoin Privacy Security Software

Kaspersky Says Telegram Flaw Used For Cryptocurrency Mining (bloomberg.com) 42

According to Kaspersky Lab, hackers have been exploiting a vulnerability in Telegram's desktop client to mine cryptocurrencies such as Monero and ZCash. "Kaspersky said on its website that users were tricked into downloading malicious software onto their computers that used their processing power to mine currency, or serve as a backdoor for attackers to remotely control a machine," reports Bloomberg. From the report: While analyzing the servers of malicious actors, Kaspersky researchers also found archives containing a cache of Telegram data that had been stolen from victims. The Russian security firm said it "reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in messenger's products."
This discussion has been archived. No new comments can be posted.

Kaspersky Says Telegram Flaw Used For Cryptocurrency Mining

Comments Filter:
  • Sweet! What's Telegram?

    • Sweet! What's Telegram?

      Same problem here. I thought they must be referring to a literal telegram. Whoever picked the name "telegram" for their company must have really thought they were slick when they got it, but it only makes them look like a relic from the 1800s.

      • Names of old pantheon gods got used up.
        Decent and decently-short acronyms got used up.
        Recursive acronyms got used up.
        Puns got used up.
        We're now stuck with arbitrary word-thing pairing.

        We've been there since about the large-scale adoption of linux. Or haven't you noticed the arbitrary naming of major open source applications?

  • by guruevi ( 827432 ) on Tuesday February 13, 2018 @10:23PM (#56119991)

    If you can backdoor cryptomining into a "secure messaging" service, you can backdoor pretty much everything. I'm sure that any US-based service has similar "bugs". How hard is it to create an application that communicates with a web service without the requirement to run random code? Why is there even a code interpreter in a "secure messaging app"?

    Give me my IRC and PGP, at least I can read through and guarantee the code is clear in a matter of hours.

    • Kaspersky is disclosing a flaw their security researchers found in Telegram, which is not a Kaspersky product. The Telegram client code is open source, but that apparently hasn't stopped stupidity making it into the desktop client.

    • Comment removed based on user account deletion
      • by guruevi ( 827432 )

        The summary and post it links to implies the Telegram client is executing cryptomining code on its own. Sending a message backwards or forwards is not really an exploit, it's annoying or funny depending on the circumstance. But where is the option to send, link to or execute code?

        • Comment removed based on user account deletion
          • by guruevi ( 827432 )

            It says "Telegram Flaw Used For Cryptocurrency Mining" implies that Telegram has a flaw that allows the clients to mine for cryptocurrency without the users' consent.

            Being able to screw around with text and fonts and sending someone a link isn't really an "exploit". There are hundreds of URL shorteners that will do that for you. If the user clicks, downloads and then chmod +x an executable (whatever the Windows equivalent is) then that's a problem with the user.

  • They may have 'hardened' their cryptographic algorithms, but the problem here is clearly that most GUI-libraries are not. :-(
    • Comment removed based on user account deletion
      • Yes, but that is a security problem. Sanitize your links and deactivate them, if you must...
        • Comment removed based on user account deletion
          • There's nothing wrong with that feature. If you happen to be left-handed, you might even prefer Arabic. ;-)
            If you are receiving an executable that way, there should be a warning. Better even, it should be renamed for safety. Just add an '_disabled_this_executable_' post(/pre)fix. Not everybody is into computers. Most Malware spreads by people downloading and clicking on it. Sometimes this takes out entire hospitals. Therefore, you have to keep this in mind when designing software. You can always have an op
  • This is really becoming a serious concern. We are talking about the bugs that have been discovered. We don't know how many other apps are doing it too silently.

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...