The Telegram app for MacBook can be used to access the device's camera and microphone. The vulnerability that allows this was discovered by Google developer Dan Revah, as he wrote in his blog. The programmer found the vulnerability back in February 2023, but published information about it in May, as Telegram did not respond to his messages about the threat to user privacy.
Found "hole" in the security of Telegram allows you to record any video from the camera and audio from the microphone of the MacBook, using the fact that the user has given Telegram permissions to access the camera and microphone. In general, in the macOS operating system, such actions are usually limited, but Dan Revach found a way to bypass them, using exactly the permissions given to the Telegram application. He wrote a program that successfully started the video recording process using the Telegram infrastructure, and then saved the recorded video.
A vulnerability is the ability to disrupt the operation of an application, that is, the mere fact of a vulnerability does not mean that someone used it. However, when vulnerabilities are discovered, especially those that threaten the security and privacy of users, application companies usually seek to eliminate them. However, according to Revah, Telegram did not respond to his messages.
The official Telegram account noted on Twitter that the vulnerability can only be exploited if someone already has access to the victim's MacBook.
In addition, the vulnerability only works for the application downloaded from the official App Store, and there is no vulnerability in the version downloaded from the website.
In February 2023, the Wired edition talked about the ability to upload information from closed chats in Telegram, even despite the privacy settings. The Insider tells how to become as private as possible in Telegram.