A Google security engineer has revealed that the Telegram application on macOS suffers from a vulnerability that could be exploited to gain unauthorized access to the device’s camera.
Normally, Apple’s Transparency, Consent, and Control (TCC) mechanism manages access to protected areas and hardware such as the camera and microphone, and even administrators do not have access to them unless an application is granted that access.
Telegram is one of those applications requiring access to the computer’s camera and microphone to accommodate the user’s communication needs, like video calls.
The researcher discovered that due to a lack of ‘Hardened Runtime’ on Telegram’s macOS app, it is possible to inject a malicious Dynamic Library (Dylib) on it using the ‘DYLD_INSERT_LIBRARIES’ variable. The injected Dylib makes the code run even before the Telegram app starts, giving it full access to certain features, including the camera.
The specially crafted Dylib contains code that covertly activates the computer’s camera to record video while the user remains oblivious to this activity. Even if the camera’s active indicator light is on, the user might not suspect it signifies ongoing video recording, assuming it is a standard activation due to launching the Telegram app.
One thing to note is that normally, it is impossible for outside code to abuse the Telegram app’s access to the camera due to the software running within a special ‘sandbox,’ however, the researcher found that this protection can be bypassed using ‘LaunchAgents’ to run the app in the background through scheduled execution.
Read more