NobsWolf β™‚πŸ‡©πŸ‡ͺ🐺πŸ‡ͺπŸ‡ΊπŸ“‘πŸ³οΈβ€πŸŒˆMar 30
TrendAI Zero Day Initiative
πŸ‘€πŸ‘€πŸ‘€ https://www.zerodayinitiative.com/advisories/upcoming/
Mar 26 at 10:18pmWeb
Show threadKay Ohtie πŸ”œ FWAMar 28

@thezdi I'm really frustrated with the way ZDI lists this without any information. 9.8 means nothing anymore, and when all we have is that the vendor is "Telegram" we have no idea if that means:
- RCE
- Broad-stroke mitigations if so (being broader to prevent ID)
- A flaw with their blockchain crap
- A flaw in their payment platform
- A vulnerability in the bot API allowing malicious takeover of a bot

I know details need to be sparse but the way this is listed feels attention-seeking for ZDI more than to help allay fears in users that are now panicking and coming up with supposed mitigations.

Show threadNobsWolf β™‚πŸ‡©πŸ‡ͺ🐺πŸ‡ͺπŸ‡ΊπŸ“‘πŸ³οΈβ€πŸŒˆApr 3

@thezdi

it reduced to 7.0 in the mean time

and here in the update section is some explanation

https://securityonline.info/telegram-critical-zero-click-vulnerability-zdi-can-30207/

CRITICAL ALERT: Telegram Vulnerability "ZDI-CAN-30207" Exposes Users to Zero-Click Attacks

A critical 9.8 CVSS zero-click flaw (ZDI-CAN-30207) hits Telegram, affecting 1 billion users. No interaction needed for full system hijack. Patching now!

Daily CyberSecurity