Typo Trouble: Exploring the Telegram Python RCE Vulnerability

Telegram’s Windows application was recently updated to address a critical zero-day flaw that permitted the execution of Python scripts without triggering security alerts, due to a typo in processing certain file extensions.

This vulnerability first surfaced on online forums later proof of concept shared on the XSS forum. The issue centered around Python “.pyzw” files which, due to a typo let attackers to evaded Telegram’s security protocols and ran immediately upon user interaction, provided Python was present on the device. Cyber adversaries could cloak these scripts as innocuous video files, duping users into running them.

As of now Telegram has deployed a server-side remedy by tagging “.pyzw” files with the “.untrusted” suffix, thereby requiring user deliberation to execute them. Telegram has also rectified the original coding error and will be pushed in upcoming updates.

Exploring the vulnerability

The Telegram Desktop app keeps a record of file extensions associated with hazardous elements, such as executables. If a user attempts to access one of these file types shared through Telegram, the related Windows application won’t start by itself. Rather, Telegram presents a security warning message. As shown below.

Telegram Error Message

Conversely, if a file type that is not recognized is shared via Telegram, Windows will initiate its opening automatically, deferring to the operating system to determine the suitable program to use.

The recent commit history reveals that an error occurred during the initial phase of whitelisting file extensions. A misspelling was made where “pyzw” was incorrectly entered as “pywz”. This typo was the cause of the Remote Code Execution (RCE) vulnerability within the application.

Telegram commit to update the extension List.


First, we create a python zip application(.pyzw) to open a cmd.exe as shown below.

Simple python zipper app to open cmd.exe upon execution.

Then we upload the file to the victim, due to the typo the security measures implemented by telegram would be bypassed. So when victim clicks on the message(file) the command would be executed.

RCE exploit

As a fix Telegram has deployed a service side fix where all .pyzw files are tagged with. untrusted extension. Which again gives a pop-up asking user to confirm if they want to run the application or not as shown below.

Server-side Fix

Telegram has said they are working a fix so that in future versions of the Telegram Desktop app would include the security warning message rather than appending the “.untrusted” extension, adding a bit more security to the process.

Typo Trouble: Exploring the Telegram Python RCE Vulnerability was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: Typo Trouble: Exploring the Telegram Python RCE Vulnerability | by JustAnother-Engineer | Apr, 2024 | Medium