Keypoints
- A typo in Telegram Desktop’s extension list (‘pywz’ instead of ‘pyzw’) caused Python zipapp files to be treated as unknown and auto-launched by Windows when clicked.
- Attackers could mask a .pyzw script as a video by sending it with a video/mp4 MIME type and thumbnail, tricking users into clicking it.
- When Python is installed and associates .pyzw with the interpreter, clicking the disguised file results in automatic execution and potential remote code execution (user-assisted).
- Telegram corrected the extension in the client source code and applied a server-side fix that appends “.untrusted” to affected files to force Windows to prompt before opening.
- Telegram stated the flaw required a user click and affected a very small portion of users (those with Python installed and using the relevant Telegram version).
- Proof-of-concept demonstrations showed the exploit opening a command prompt when the disguised file was clicked.
MITRE Techniques
- [T1204.002] User Execution: Malicious File – The exploit relied on a user clicking a disguised file to execute code (‘to trick users into clicking on the fake video to watch it’).
- [T1036] Masquerading – The malicious .pyzw file was sent with a ‘video/mp4’ MIME type and thumbnail to appear as a legitimate shared video (‘using a Telegram bot to send the file with a mime type of “video/mp4,” causing Telegram to display the file as a shared video’).
- [T1203] Exploitation for Client Execution – A logic error (typo) in Telegram’s extension handling allowed automatic execution by the associated Python interpreter (‘they made a typo, entering the extension as “pywz” rather than the correct spelling of “pyzw”‘).
- [T1566.002] Phishing: Spearphishing Link/Attachment (user-interaction based delivery) – The attacker relied on social engineering (clicking a presented media item) to deliver and trigger the payload (‘the proof of concept exploit disguised the Python file as a shared video… that could be used to trick users into clicking’).
Indicators of Compromise
- [File name] proof-of-concept files – video.pywz (disguised as mp4), video.pyzw (POC variant)
- [File extension] extensions involved – .pyzw (Python zipapp), .pywz (typo entry), .untrusted (server-side appended extension)
- [MIME type] used for masquerade – video/mp4 (used to display the script as a shared video)
- [URLs] reporting and fixes – https://www.bleepingcomputer.com/news/security/telegram-fixes-windows-app-zero-day-used-to-launch-python-scripts/, https://github.com/telegramdesktop/tdesktop/…/data_document_resolver.cpp (commit fixing extension)
Telegram Desktop mistakenly listed the Python zipapp extension with a typographical error (‘pywz’ instead of ‘pyzw’) in its risky-file extension table. Because Windows can associate .pyzw with the Python interpreter, sending a .pyzw archive caused the operating system to launch Python automatically when a user clicked the file; Telegram’s intended behavior was to show a warning for executable-like extensions. Researchers demonstrated that attackers could further hide the payload by sending the file with a ‘video/mp4’ MIME type and a thumbnail, presenting it as a playable video so a user would click and inadvertently execute the script.
Telegram fixed the root cause in the client source by correcting the extension entry and implemented an immediate server-side mitigation: the service appends a ‘.untrusted’ suffix to affected files so Windows prompts the user to choose a program rather than auto-launching Python. The vulnerability required user interaction (a click) and only affected users with the Python interpreter installed and the relevant Telegram Desktop version; proof-of-concept tests showed the exploit opening a command prompt when the disguised file was clicked.
Moving forward, Telegram indicated future client updates will restore a proper security warning for such extensions instead of relying solely on server-side renaming, improving the defense-in-depth for handling risky file types.