Description
Telegram Desktop through 2.4.3 does not require passcode entry upon pushing the Export key within the Export Telegram Data wizard. The threat model is a victim who has voluntarily opened Export Wizard but is then distracted. An attacker then approaches the unattended desktop and pushes the Export key. This attacker may consequently gain access to all chat conversation and media files.
References (4)
Core 4
Core References
Product x_refsource_misc
https://www.Telegram.org
Third Party Advisory x_refsource_misc
https://github.com/soheilsamanabadi/vulnerability/blob/main/Telegram-Desktop-CVE-2020-25824
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/telegramdesktop/tdesktop/releases/tag/v2.4.3
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202101-34
Scores
CVSS v3
2.4
EPSS
0.0018
EPSS Percentile
39.3%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-306
Status
published
Products (1)
telegram/telegram_desktop
< 2.4.3
Published
Oct 14, 2020
Tracked Since
Feb 18, 2026