Security Advisory for Telegram Desktop Users Regarding .m3u Files
Telegram Desktop users are currently facing a significant security vulnerability associated with the .m3u file format. Cybersecurity experts have issued warnings that simply accessing a .m3u file sent through Telegram can inadvertently expose users’ IP addresses, connection ports, and NTLMv2 hashes—critical information that can be exploited for unauthorized system access.
Understanding the .m3u File Format
The .m3u file format is typically a plain text file that contains a playlist of media links. However, when opened on the Telegram platform, these files automatically connect to embedded links. If these links lead to a malicious server operated by an attacker, a connection by a Windows media player (such as Windows Media Player) can trigger the transmission of sensitive data, including local IP addresses and player-specific information.
Potential Exploit Mechanism
Attackers can employ tactics involving the Server Message Block (SMB) protocol, which is used for file sharing and resource access in Windows networks. By leveraging these techniques, they can compel the victim’s system to disclose NTLMv2 hash information. This hash is utilized for authentication in Windows login sessions and can be exploited using the “Pass-the-Hash” method, enabling an attacker to log into systems without needing the original password.
Expert Warnings and Recommendations
Cybersecurity expert Ngo Minh Hieu (Hieu PC) has strongly advised against opening .m3u files while using Telegram Desktop. He emphasizes that this vulnerability could lead to the unauthorized collection of NTLMv2 hashes and potential attacks that compromise internal systems. Users are encouraged to exercise caution with unsolicited files sent through the application.
If an attacker gains access to a valid NTLMv2 hash, they may manipulate it to access system accounts, particularly those with administrative or elevated privileges, allowing them to traverse the internal network and potentially gain full control over organizational systems. Examples of the attack mechanisms can be found in publicly available resources, such as a GitHub repository.
Although Telegram has previously warned about the potential risks posed by .m3u8 files, similar alerts regarding .m3u files remain unaddressed, leaving this vulnerability open for exploitation.
Safety Measures
Users are strongly urged to refrain from opening any .m3u files received via Telegram Desktop, especially in Windows environments, until Telegram issues a warning system or implements a fix for this vulnerability. Organizations should enhance their network monitoring, utilize firewalls to restrict unexplained connections, and minimize SMB protocol exposure to the internet to mitigate these risks.