tdesktop icon indicating copy to clipboard operation
tdesktop copied to clipboard

Published 20 hours ago verified publisher icon telegramdesktop

Unicode char HANGUL FILLER (U+3164) allows sending invisible messages

Open simplylu opened this issue 3 years ago • 3 comments

Steps to reproduce

  1. Copy the HANGUL FILLER char from unicode-explorer.com (0x3164)
  2. Paste this single char into chat and send the message

Expected behaviour

Behaviour is the same as with the Mongolian Vowel Separator (unicode-explorer.com (0x180e) in many other applications. The MVS gets deleted after one sends this single char. Should be the same for the HANGUL FILLER.

Actual behaviour

With this char you're able to send an "empty" message, as it's not detected by Telegram in contrast to the MVS.

Operating system

Manjaro Qonos 21.2.2, Gnome 41.3

Version of Telegram Desktop

3.5.2

Installation source

Static binary from official website

Logs

No response

simplylu avatar Feb 21 '22 11:02 simplylu

Hey there!

This issue was inactive for a long time and will be automatically closed in 30 days if there isn't any further activity. We therefore assume that the user has lost interest or resolved the problem on their own.

Don't worry though; if this is an error, let us know with a comment and we'll be happy to reopen the issue.

Thanks!

github-actions[bot] avatar Sep 05 '22 02:09 github-actions[bot]

I wanna add to this, that with invisible chars (especially the MVS 0x180e, since it has no visible width), you can fake the preview of a link. Not quite sure how effective it'd be to misuse this behaviour, but I think it's worth to mention it.

How to:

  1. Insert invisible char and give it a hyperlink
  2. Paste the actual link somewhere behind the invisible char

What happens:

  1. The preview of the first found link in a message will be rendered, the other ones won't.

With that, you're able to send a link like https://telegram.org/, but set the hyperlink to a malicious website. Without the first hyperlink on the invisible char, the malicious website would be previewed. image

But using the hyperlink on an invisible char, you can actually render the preview of https://telegram.org/ making your message look more legit. Just by hovering over the link, you can see the actual hyperlink (http.cat) image

Caveat: Updated versions of telegram (Desktop and Android app) are always asking if you want to open a specific link. But not everyone is checking the link presented there and just clicks on "open", or the link could be obfuscated with the usage of URL shorteners.

Remediation:

  • Avoid sending of invisible chars if possible
  • Remove the ability to set hyperlinks on invisible chars or phrases which contain these (like spaces + several invisible chars).

simplylu avatar Sep 05 '22 07:09 simplylu

@js-on Hmm, maybe that's a feature 🤔

I'd say that the easiest thing to fake on a malicious website is the preview, so you won't improve security by disabling such previews. But a lot of legit cases, where you just want to attach some nicely-formatted content (in a webpage-preview format) to your message without any meaningful link will be punished.

john-preston avatar Sep 05 '22 07:09 john-preston

Hey there!

This issue was inactive for a long time and will be automatically closed in 30 days if there isn't any further activity. We therefore assume that the user has lost interest or resolved the problem on their own.

Don't worry though; if this is an error, let us know with a comment and we'll be happy to reopen the issue.

Thanks!

github-actions[bot] avatar Mar 05 '23 02:03 github-actions[bot]