Keypoints
- Telegram Desktop had a typo in its extension whitelist: ‘pyzw’ was entered as ‘pywz’, causing .pyzw files to be treated as unrecognized and opened automatically by Windows.
- Attackers could package malicious Python code as a .pyzw (Python zip application) and cloak it as a video to trick users into executing it.
- Proof-of-concept demonstrated creating a .pyzw that launched cmd.exe upon execution and delivering it via Telegram to a victim.
- Because unrecognized extensions are opened by the OS, clicking the .pyzw allowed remote code execution if Python was installed on the system.
- Telegram deployed a server-side mitigation tagging .pyzw files with a .untrusted suffix to force an extra user confirmation before execution.
- Telegram fixed the underlying typo in source and plans client-side updates so the app shows security warnings instead of relying on the .untrusted suffix.
MITRE Techniques
- [T1204] User Execution – The attack required the user to click the delivered file to run it, enabling code execution. Quote relevant content (‘when victim clicks on the message(file) the command would be executed.’)
- [T1105] Ingress Tool Transfer – The malicious .pyzw file was uploaded and delivered to the victim through Telegram. Quote relevant content (‘Then we upload the file to the victim’)
- [T1036] Masquerading – The attacker disguised Python scripts as harmless video files to trick users into opening them. Quote relevant content (‘cloak these scripts as innocuous video files’)
- [T1203] Exploitation for Client Execution – A typographical error in the extension whitelist caused Telegram to mishandle .pyzw files, enabling remote code execution. Quote relevant content (‘”pyzw” was incorrectly entered as “pywz”…This typo was the cause of the Remote Code Execution (RCE) vulnerability’)
Indicators of Compromise
- [File extension] extension used to bypass checks – .pyzw, .pywz
- [File suffix] server-side mitigation tag – .untrusted (Telegram appends this to .pyzw files)
- [File name / executable] demonstration payload – python zip application (.pyzw) that launches cmd.exe
- [URL] related writeups / sources – https://medium.com/@justanother-engineer/typo-trouble-exploring-the-telegram-python-rce-vulnerability-b7bc8a12c9ba
The vulnerability stemmed from a simple misspelling in Telegram Desktop’s extension whitelist: the intended entry ‘pyzw’ was entered as ‘pywz’, so .pyzw files were not classified as potentially dangerous. Because Telegram defers to the operating system for unrecognized extensions, Windows would automatically open a .pyzw file with the associated program (Python), allowing a zipped Python application to run immediately when clicked.
In the proof-of-concept, an attacker creates a Python zip application with a .pyzw extension that executes cmd.exe on launch, uploads it to a target via Telegram, and relies on social engineering (e.g., presenting it as a video) to get the user to click it. The exploitation chain is: deliver .pyzw via Telegram (Ingress Tool Transfer), trick the user into opening it (User Execution / Masquerading), and execute arbitrary code through the host’s Python runtime (resulting in RCE).
Telegram’s immediate mitigation was server-side: tag incoming .pyzw files with an added .untrusted suffix to force an extra confirmation before execution. The underlying whitelist typo was corrected in source code, and a client update is planned to display in-app security warnings rather than relying on the suffix-based workaround.