Telegram refutes CertiK’s auto-download security risk claim

Blockchain security startup CertiK said Telegram’s desktop application poses risks to use due to a media auto-download feature, but the social network challenged such claims.

CertiK alerted the crypto community to a supposed high-risk vulnerability in images and videos sent on Telegram’s private messaging app.

Users were advised to turn off automatic download settings to mitigate attacks, but the security provider did not explain how it reached this conclusion. 

Telegram responds to CertiK’s claim

Shortly after CertiK’s notice on X, Telegram debunked the assertion that its over 800 million worldwide users might be compromised if they have automatic media downloads turned on. The platform added that participants had not reported cases of remote code execution (RCE) leading to crypto wallet hacks. 

We can’t confirm that such a vulnerability exists. This video is likely a hoax. Anyone can report potential vulnerabilities in our apps.

Telegram team

Expert weighs in

Following the news, crypto.news contacted Polyzoa founder Kirill Tiufanov about the possibility of an RCE attack vector highlighted by CertiK. Tiufanov, a web3 security veteran, surmised that this vulnerability seemed unlikely.

That’s quite an abstract assumption as they don’t give any tech details. Technically everyone can say don’t download unknown files as it might be risky.

Kirill Tiufanov, Polyzoa founder

While the claim remains in contention, CertiK advised users to turn off automatic media downloads to ensure maximum safety on the desktop application.

Several social media platforms allow users to download files with zero clicks, but Telegram is one of the few messaging providers enabling crypto features. The app’s design has allowed blockchain builders to integrate tools like BonkBot and wallets while maintaining security. 

Telegram does not support cryptocurrencies, but it can be used as a gateway for users and merchants to send and receive payments in digital assets.

Solutions like Binance Labs-backed Grindery have leveraged account abstraction smart contracts to unlock one-click transactions on the social media app. In addition, Telegram has opened up a revenue-sharing system for users backed by parent company The Open Network’s Toncoin, providing users with rewards for displaying ads on channels.