Security News > 2024 > April > Telegram fixes Windows app zero-day caused by file extension typo
This caused the file to automatically be executed by Python without a warning from Telegram like it does for other executables, and was supposed to do for this file if it wasn't for a typo.
In a statement to BleepingComputer, Telegram rightfully disputes that the bug was a zero-click flaw but confirmed they fixed the "Issue" in Telegram for Windows to prevent Python scripts from automatically launching when clicked.
"Rumors about the existence of zero-click vulnerabilities in Telegram Desktop are inaccurate. Some"experts" recommended to "disable automatic downloads" on Telegram - there were no issues which could have been triggered by automatic downloads.
The Telegram Desktop client keeps track of a list of file extensions associated with risky files, such as executable files.
Pyzw file extension with the Python executable, causing Python to execute the scripts automatically when the file is double-clicked.
To masquerade the file, researchers devised using a Telegram bot to send the file with a mime type of 'video/mp4,' causing Telegram to display the file as a shared video.