The messenger responded to the reported vulnerability.
A cybersecurity enthusiast from Russia reported a critical vulnerability in the Telegram messenger, which, according to him, could have allowed access to user accounts even without a cloud password or two-factor authentication. The alleged issue occurred during authorization through Telegram widgets on third-party websites, especially within Telegram’s built-in browser.
The researcher claimed that such authorizations could create sessions with elevated privileges, remaining unnoticed by account owners. As protective measures, he recommended users to clear the built-in browser's history, terminate all suspicious web sessions, delete cookies, and recheck the list of connected websites and bots. In some cases, he even advised recreating the account.
However, Telegram officially denied the existence of such a vulnerability. In response to the report, the company's specialists explained that the researcher had misinterpreted the mechanisms behind different types of authorizations. According to Telegram, the authorization token used in widgets is not connected to full Telegram Web sessions and cannot be used to access messages or account data.
The company emphasized that authorization via widgets creates limited sessions, intended only for interaction with specific websites — for example, for voting or commenting. Such sessions are displayed in the devices section of the settings and are accompanied by a Telegram notification, allowing users to immediately terminate them.
Telegram also clarified that data transmitted through the Login Widget only includes publicly available profile information (name, username, photo) and never provides access to private messages or calls, including secret chats.
Furthermore, all sessions, including widget-based ones, can be manually terminated by the user in the settings. There have been no recent changes to the authorization system, and its architecture remains the same.
Telegram separately noted that to hijack a web session or access an authorization token, an attacker would require physical access to the user's device or browser.
Thus, the company’s official position is that the claimed vulnerability does not exist, and the functioning of widgets aligns with the originally intended design.
