Was my Telegram account hacked by this vulnerability?

It is highly unlikely. The vulnerability (CVE-2023-34395) only affected the Telegram Desktop application, not the mobile apps. Telegram patched the flaw in version 4.9.1 in September 2023, a month before it was publicly disclosed. If your desktop app was up-to-date, you were not at risk from this specific flaw.

What is a 'zero-click' vulnerability?

A zero-click vulnerability is a type of exploit that can compromise a device without any interaction from the user. You do not have to click a link, open a file, or answer a call. The attack can be triggered simply by receiving a malicious message or data packet, making it extremely dangerous.

Did Telegram deny that a vulnerability existed?

Telegram's founder, Pavel Durov, denied a *new, unconfirmed* claim of a zero-click flaw that surfaced in October 2023, calling it a 'hoax.' This was separate from the confirmed vulnerability (CVE-2023-34395) discovered by Kaspersky, which Telegram had already acknowledged and patched a month earlier. The public confusion arose from mixing up these two separate issues.

How can I check if my Telegram Desktop is updated?

In the Telegram Desktop application, navigate to Settings, then click on 'Advanced'. At the bottom of the Advanced settings page, you will see the current version number and an option to 'Check for updates.' Ensure you are running version 4.9.1 or newer to be protected from CVE-2023-34395.

Telegram's zero-click scare: A tale of two vulnerabilities

Anatomy of a security storm

In mid-October 2023, the cybersecurity community was thrown into a state of alarm by conflicting reports about Telegram, the popular privacy-focused messaging application. On one hand, security researchers from Kaspersky detailed a critical zero-click vulnerability in Telegram Desktop, assigned a terrifyingly high CVSS score of 9.8 out of 10. On the other hand, Telegram’s founder, Pavel Durov, issued a vehement public denial, labeling rumors of a zero-click flaw a “hoax.”

This apparent contradiction sparked widespread confusion. Was a severe vulnerability putting millions at risk, or was it all a misunderstanding? The truth, as is often the case in complex security incidents, lies in the details. The controversy was not about a single flaw, but the conflation of two separate events: one a confirmed, patched vulnerability and the other an unverified, public claim.

The confirmed threat: CVE-2023-34395

The genuine vulnerability at the heart of the initial reports was CVE-2023-34395. Discovered by security researchers at Kaspersky earlier in 2023, this was a severe remote code execution (RCE) flaw affecting the Telegram Desktop application (versions 4.9.0 and earlier). It was a textbook example of a zero-click exploit, one of the most dangerous types of vulnerabilities.

Technical details

The attack vector was deceptively simple: a specially crafted animated sticker. According to Kaspersky's analysis, an attacker could send a malicious sticker (.tgs file) to a target. Upon receipt, the Telegram Desktop client would attempt to process the sticker for display. Due to a type confusion issue in the application's code for handling media, the malicious file could cause the application to crash and then execute arbitrary code on the victim's computer.

No user interaction was required. The victim did not need to click, view, or save the sticker. The mere act of receiving it was enough to trigger the exploit, potentially giving an attacker full control over the compromised system. This is the hallmark of a zero-click attack, a method famously employed by advanced spyware like NSO Group's Pegasus to compromise devices without a trace. This class of exploit undermines user security entirely, making tools for privacy protection and diligent software updates essential.

Following responsible disclosure protocols, Kaspersky reported the flaw to Telegram in August 2023. Telegram's security team acted swiftly, issuing a patch and releasing Telegram Desktop version 4.9.1 on September 8, 2023, a full month before the vulnerability was made public.

The unconfirmed claim and the public denial

The public confusion began when Kaspersky published its findings on October 13, 2023. Around the same time, an independent security researcher made a separate, unverified claim on social media about discovering a new zero-click RCE in Telegram, suggesting it had been rejected by the company's bug bounty program. Details were scarce, but the claim implied the flaw might affect mobile platforms.

This is the claim that prompted Pavel Durov's strong denial on October 14. He stated on his Telegram channel, “This is a hoax, and we specifically checked to make sure no such vulnerability exists.” He was not, as many initially believed, denying the existence of the Kaspersky-discovered CVE-2023-34395, which his team had already patched. He was refuting a new, unproven allegation.

Unfortunately, the timing created a perfect storm. Media outlets and social media users, seeing the 9.8 CVSS score associated with the *patched* desktop flaw alongside Durov's denial of a *new* mobile flaw, conflated the two. This created the narrative that Telegram was irresponsibly denying a critical, active vulnerability, which was not the case.

Impact assessment

For the patched vulnerability, CVE-2023-34395, the potential impact was critical. Any user running an outdated version of Telegram Desktop was susceptible to a full system takeover. Attackers could have potentially stolen files, installed malware, or spied on communications. However, because Telegram issued a patch before the flaw was publicly disclosed, the window of opportunity for widespread exploitation was significantly narrowed. The primary group at risk were those who failed to update their desktop application between September 8 and the public disclosure in mid-October.

The impact of the unconfirmed claim was primarily reputational. It created unnecessary fear and doubt among users and underscored the challenge of managing security communications. In an environment where unverified claims can spread rapidly, it becomes difficult for users to distinguish between genuine threats and noise.

How to protect yourself

This incident serves as a powerful reminder that application security is an ongoing process. While the specific vulnerability discussed here has been addressed, the principles for staying safe remain constant.

Update your software immediately: The single most effective defense against CVE-2023-34395 was to update the Telegram Desktop application to version 4.9.1 or later. Go to Settings > Advanced and check for updates now.
Enable automatic updates: For all critical applications, including browsers, operating systems, and messaging clients, enable automatic updates. This ensures you receive security patches as soon as they are available, often before vulnerabilities become public knowledge.
Verify sources: When you see alarming security news, look for official statements from the vendor and credible security firms. Check for a CVE identifier, which designates a formally recognized vulnerability, to separate verified threats from unsubstantiated rumors.
Enhance network privacy: For an added layer of network security, using a reliable VPN service can help obscure your IP address and encrypt your traffic. While it would not have blocked this specific application-level exploit, it is a foundational part of a multi-layered security posture.

Ultimately, the Telegram “storm” was a lesson in the fog of cyberwar. It highlighted the diligence of security researchers, the responsiveness of Telegram's development team in patching a critical flaw, and the chaotic nature of public discourse when complex technical details are conflated. The real threat was neutralized before it became a crisis, but the confusion it caused is a valuable case study for us all.