TLDR:
- A vulnerability in Telegram Web App allows attackers to hijack user sessions
- Telegram has patched the vulnerability in version 2.0.0 (488)
A new vulnerability in Telegram has been discovered, allowing threat actors to hijack user sessions through XSS. This vulnerability affects Telegram WebK versions below 2.0.0 and also users of web3. The vulnerability is triggered through the web_app_open_link event type, allowing attackers to save a victim’s session ID and hijack their session. Telegram has patched this vulnerability in version 2.0.0 (488) by adding code to prevent exploitation. Users are recommended to upgrade to the latest version to prevent session hijacking.