Recently, a vulnerability was discovered in Telegram that allowed attackers to sell

5 апреля 2025 г.ceosanya
Recently, a vulnerability was discovered in Telegram that allowed attackers to sell | 🔁 Новости из телеграм - Ghostbase News

Recently, a vulnerability was discovered in Telegram that allowed attackers to sell Stars at a discounted price and then request refunds. This led to the loss of gifts and other services paid for with these stars.

It reminded me of a case from 2022, when a bug was found that allowed users to endlessly gift Premium subscriptions 👨‍💻

👨‍💻Out of curiosity, I gathered a list of major vulnerabilities from recent years:

  1. SMS Verification Attack (2017–2020)

Essence: Attackers intercepted SMS verification codes (through SIM swapping or mobile operator vulnerabilities).

Consequences: Account takeover and access to chats (if 2FA was not enabled).

Protection: Telegram introduced mandatory two-factor authentication (2FA) and recommended setting a password for Telegram Desktop.

  1. Voice Call IP Leak (2021)

Essence: Through P2P calls, it was possible to obtain a user's IP address.

Consequences: Risk of deanonymization, especially dangerous for journalists and activists.

Protection: Telegram added the setting "Peer-to-Peer Calls → Never" in Privacy & Security.

  1. API Exploitation via Unofficial Clients (2022–2023)

Essence: Some third-party apps (like Plus Messenger) had vulnerabilities that allowed hidden access to user data.

Consequences: Chat leaks if users entered their credentials into fake apps.

Protection: Telegram started banning unofficial clients and restricted API access.

  1. Payment Caching Bugs Exploitation (2022–2023)

Essence: Some users discovered a way to subscribe to Premium, cancel the payment, but still keep the subscription features.

  1. EvilVideo — Vulnerability in Telegram for Android (2024)

Essence: Attackers sent malicious APK files disguised as videos. When users tried to open them, the app suggested using an external player, which could lead to malware installation.

Condition: The attack required the user to allow installation of apps from unknown sources.

  1. Phishing Through Fake Authorization Requests (2025)

Essence: Mass fake authorization requests are being sent in Telegram.

Examples: Domains like claim-giveaway.*, with designs closely mimicking Telegram’s official interface, making it easy to confuse "Deny" and "Allow" buttons.

  1. Stars Refund Scam (2025)

Essence: One of the largest refund scammers managed to extract about 50 million stars, selling them at prices much lower than the official rate.

Consequences: Users and bots lost gifts, upgrades, and faced negative balances.

Conclusion:

As Telegram's popularity grows, the number of attacks and vulnerabilities also increases. In most cases, regular users suffer the consequences.

How to protect yourself:

  • Always enable two-factor authentication (2FA).

  • Be cautious with suspicious links.

  • Don't engage with scammers.

  • Only use verified bots and applications.

Telegram itself is extremely difficult to hack — but the human factor often remains the weakest link.

Ссылка на постВ канал