Google engineer Dan Reva has discovered a vulnerability in Telegram for macOS that allows attackers to use the laptop’s camera and microphone.
The vulnerability allows to inject a dynamic library (Dylib) with a malicious exploit into Telegram on macOS. With it, attackers will be able to record video from a camera with sound and save the file to a hidden folder on a Mac. Moreover, video and audio recording will work even if the corresponding permissions are disabled.
This is possible because Telegram for macOS does not use Apple’s built-in Hardened Runtime security mechanism.
Reva reported this issue to the Telegram team in February 2022. But the developers did not get in touch and still have not eliminated the vulnerability.