ZDI Registered a Critical Vulnerability in Telegram — Don't Panic
On March 26, an entry ZDI-CAN-30207 concerning Telegram appeared in the database of the Zero Day Initiative — the largest independent vulnerability hunting program. The vulnerability was discovered by researcher Michael DePlante from Trend Micro.
Details are classified: according to ZDI regulations, the specifics will be disclosed either as soon as the messenger fixes the issue, or on July 24, 2026, if it does not.
The popular theory about animated stickers is speculation and rumor, not facts known from this entry. All other "details" being spread by media and channels are either conjecture or descriptions of already fixed old vulnerabilities. There is no need to panic.
What to do:
• Update Telegram immediately when new versions are released.
• Use the official Telegram app to receive the update with the fix on the very first day.
• No other specific protective measures can be taken — the nature of the vulnerability is unknown.
Telegram's Reaction
The messenger's press service stated to Durov's Code that the vulnerability does not exist. Their argument: all stickers are checked by servers, therefore "the existence of such an exploit is impossible".
The @tginfo editors find this reaction strange. For some reason, Telegram commented specifically on the speculations about stickers, even though the attack vector has not been disclosed and might have nothing to do with them. It is unclear why the messenger chose to refute rumors instead of simply confirming their work on the ZDI report.
The assertion itself that the exploit does not exist due to server-side verification is technically flawed: server validation is merely one of the protection layers, which itself can contain errors and may not cover all possible scenarios. Moreover, stickers that cause the Android app to crash still exist today, which already calls into question the comprehensiveness of the claimed check.
The messenger's response to Durov's Code is a declaration, not an argument. It will only be possible to confirm or deny the existence of the problem after the details are published or a patch is released.
What Open Data Says
From the ZDI entry, the preliminary severity score — 9.8 out of 10 — and the attack vector parameters are known. If the assessment is correct, the vulnerability can be exploited remotely over the network, requires no user interaction and no system privileges, and potentially allows an attacker to gain full access to the user's data.
These are serious parameters, however, the preliminary score is set by the researcher and may be adjusted.
Context
It is not the first time Telegram has faced critical vulnerabilities. In 2020, Shielder researchers discovered 13 vulnerabilities in the rlottie library for animated stickers, including out-of-bounds write errors that allowed for remote memory corruption on the device. Telegram fixed the specific bugs but did not change the processing architecture. Potentially, animated stickers remain a broad attack surface, so it cannot be ruled out that the new vulnerability exploits them specifically.
In 2024, a flaw was discovered in Telegram Desktop that allowed programs to be disguised as videos, making it easier to convince a victim to click and launch them. In 2025, a similar EvilLoader vulnerability was found on Android. At the same time, the Russian vulnerability broker Operation Zero offered up to $4 million for zero-click exploits in Telegram, while a representative of the messenger told Forbes that "Telegram has never been vulnerable to zero-click exploits."
Practice shows that Telegram prefers to patch specific holes without addressing systemic security problems, and such rhetoric about the "absolute impossibility" of exploits does not inspire confidence considering this story.
On March 26, an entry ZDI-CAN-30207 concerning Telegram appeared in the database of the Zero Day Initiative — the largest independent vulnerability hunting program. The vulnerability was discovered by researcher Michael DePlante from Trend Micro.
Details are classified: according to ZDI regulations, the specifics will be disclosed either as soon as the messenger fixes the issue, or on July 24, 2026, if it does not.
There is no information about the vulnerability being exploited "in the wild" by actual hackers. Right now, no one except the researcher and Telegram developers knows what the vulnerability entails.
The popular theory about animated stickers is speculation and rumor, not facts known from this entry. All other "details" being spread by media and channels are either conjecture or descriptions of already fixed old vulnerabilities. There is no need to panic.
What to do:
• Update Telegram immediately when new versions are released.
• Use the official Telegram app to receive the update with the fix on the very first day.
• No other specific protective measures can be taken — the nature of the vulnerability is unknown.
Telegram's Reaction
The messenger's press service stated to Durov's Code that the vulnerability does not exist. Their argument: all stickers are checked by servers, therefore "the existence of such an exploit is impossible".
The @tginfo editors find this reaction strange. For some reason, Telegram commented specifically on the speculations about stickers, even though the attack vector has not been disclosed and might have nothing to do with them. It is unclear why the messenger chose to refute rumors instead of simply confirming their work on the ZDI report.
The assertion itself that the exploit does not exist due to server-side verification is technically flawed: server validation is merely one of the protection layers, which itself can contain errors and may not cover all possible scenarios. Moreover, stickers that cause the Android app to crash still exist today, which already calls into question the comprehensiveness of the claimed check.
The messenger's response to Durov's Code is a declaration, not an argument. It will only be possible to confirm or deny the existence of the problem after the details are published or a patch is released.
What Open Data Says
From the ZDI entry, the preliminary severity score — 9.8 out of 10 — and the attack vector parameters are known. If the assessment is correct, the vulnerability can be exploited remotely over the network, requires no user interaction and no system privileges, and potentially allows an attacker to gain full access to the user's data.
These are serious parameters, however, the preliminary score is set by the researcher and may be adjusted.
Context
It is not the first time Telegram has faced critical vulnerabilities. In 2020, Shielder researchers discovered 13 vulnerabilities in the rlottie library for animated stickers, including out-of-bounds write errors that allowed for remote memory corruption on the device. Telegram fixed the specific bugs but did not change the processing architecture. Potentially, animated stickers remain a broad attack surface, so it cannot be ruled out that the new vulnerability exploits them specifically.
In 2024, a flaw was discovered in Telegram Desktop that allowed programs to be disguised as videos, making it easier to convince a victim to click and launch them. In 2025, a similar EvilLoader vulnerability was found on Android. At the same time, the Russian vulnerability broker Operation Zero offered up to $4 million for zero-click exploits in Telegram, while a representative of the messenger told Forbes that "Telegram has never been vulnerable to zero-click exploits."
Practice shows that Telegram prefers to patch specific holes without addressing systemic security problems, and such rhetoric about the "absolute impossibility" of exploits does not inspire confidence considering this story.
🤡38👍24❤9😱9🤯4👎2🐳1
Telegram May Warn Chat Partners If You Use an Unofficial Client
A new entry has been discovered in the translation string database for the official Telegram for iOS client, indicating the potential introduction of warnings when a chat partner is using a third-party messenger client.
The appearance of such a notification is likely related to the growing popularity of the Russian third-party client "Telega", which, unlike a regular proxy, sends messages to a Russian company's servers in a way that allows them to be decrypted and read there. Furthermore, Russian companies are legally obligated to store and hand over data to the FSB upon request.
The @tginfo editors assume that Telegram isn't blocking this client directly as a compromise to maintain its position in the Russian market, but is striving to mitigate reputational risks: a single chat participant with an unofficial app is enough to put the remaining users at risk.
It is unknown whether the warning will be displayed when a chat partner uses any alternative client, even one that is officially registered and follows the API ToS, or if the new feature will only affect apps that Telegram deems unreliable. @tginfo editors fear that if the new feature applies to all third-party apps, this warning could turn into visual noise.
#iOS #security
A new entry has been discovered in the translation string database for the official Telegram for iOS client, indicating the potential introduction of warnings when a chat partner is using a third-party messenger client.
"The user uses an unofficial Telegram client – messages to this user may be less secure," reads the string for translation.
The appearance of such a notification is likely related to the growing popularity of the Russian third-party client "Telega", which, unlike a regular proxy, sends messages to a Russian company's servers in a way that allows them to be decrypted and read there. Furthermore, Russian companies are legally obligated to store and hand over data to the FSB upon request.
The @tginfo editors assume that Telegram isn't blocking this client directly as a compromise to maintain its position in the Russian market, but is striving to mitigate reputational risks: a single chat participant with an unofficial app is enough to put the remaining users at risk.
It is unknown whether the warning will be displayed when a chat partner uses any alternative client, even one that is officially registered and follows the API ToS, or if the new feature will only affect apps that Telegram deems unreliable. @tginfo editors fear that if the new feature applies to all third-party apps, this warning could turn into visual noise.
#iOS #security
1👍43🤯16❤11🤡6😱4🐳4👎2🌚2
Telegram for Android and iOS Updated to Version 12.6
The April update is live and brings many new features in it:
• Poll improvements across the board: deadlines, media files in answers, random option order, and the ability for participants to suggest their own options.
At the same time, poll answer options have received separate links to specific voting options, as well as the ability to reply to them, copy, and delete user-suggested options.
• AI text editor and translator: a built-in assistant for translation, error correction, style changes, and automatic emoji placement. A few uses are available for free, with increased limits for Premium.
• Live & Motion Photos: support for viewing and sending "moving" photos (a short video before and after the shutter button was pressed). The sender can select one of the three playback styles in the media editor: Live, Loop, and Bounce.
• Profile Playlist: search through saved tracks and add audio files directly from device storage and shared audio in Telegram.
• Updated indicators: a redesigned look for mentions and reactions, as well as notifications about new votes in your polls directly in the chat list.
Other Updates
• Bots can now easily allow their users to create customized subagent profiles with custom name and profile picture, designed to replace manually creating bots and passing their tokens.
• On iOS, easily scan documents with your camera and combine the scans into a PDF-file.
• A warning when somebody is using an unofficial Telegram client.
• Separate "Polls" tab in channel and chat profiles.
• Stories now display the music file that was used on them.
Article: telegram.org/blog/ai-editor-mighty-polls-and-more/
Download the update
• Android: Google Play, Direct APK on the official website or verified channel
• iOS: App Store.
#update #Android #iOS
The April update is live and brings many new features in it:
• Poll improvements across the board: deadlines, media files in answers, random option order, and the ability for participants to suggest their own options.
At the same time, poll answer options have received separate links to specific voting options, as well as the ability to reply to them, copy, and delete user-suggested options.
• AI text editor and translator: a built-in assistant for translation, error correction, style changes, and automatic emoji placement. A few uses are available for free, with increased limits for Premium.
• Live & Motion Photos: support for viewing and sending "moving" photos (a short video before and after the shutter button was pressed). The sender can select one of the three playback styles in the media editor: Live, Loop, and Bounce.
• Profile Playlist: search through saved tracks and add audio files directly from device storage and shared audio in Telegram.
• Updated indicators: a redesigned look for mentions and reactions, as well as notifications about new votes in your polls directly in the chat list.
Other Updates
• Bots can now easily allow their users to create customized subagent profiles with custom name and profile picture, designed to replace manually creating bots and passing their tokens.
• On iOS, easily scan documents with your camera and combine the scans into a PDF-file.
• A warning when somebody is using an unofficial Telegram client.
• Separate "Polls" tab in channel and chat profiles.
• Stories now display the music file that was used on them.
Article: telegram.org/blog/ai-editor-mighty-polls-and-more/
Download the update
• Android: Google Play, Direct APK on the official website or verified channel
• iOS: App Store.
#update #Android #iOS
👍17👎9❤4
Main Announcements From Telegram Summit 2026
Telegram's closed conference Telegram Summit 2026 concluded today, where the messenger's team presented revolutionary new features for the upcoming year. The @tginfo editors closely followed the presentation and have collected the most important announcements from the event.
AI Innovations
• Smart media compression. To save server space, photos and videos in old chats will be replaced with their brief text descriptions generated by an AI. If you need to view a deleted file, the messenger will recreate it from the text. In addition, all voice messages longer than three minutes will be forcibly transcribed, and their originals permanently deleted.
• Replacing the declining audience with AI agents. If your chat partner hasn't logged into the app for a month, the messenger will automatically create a language model based on their chat history that will continue to respond to new messages. The developers call this an innovative solution to the problem of empty contact lists: no one wants to use a messenger if they can't chat with their friends. This is especially relevant in Russia, where the user base is declining amid a ban on the messenger.
Media
• Static Videos. In addition to animated photos (Motion Photos), the messenger is working on support for Static Videos. The new feature is designed to improve the user experience in conditions of throttled internet.
• Square video messages. The classic "circles" will become an exclusive privilege for Telegram Premium subscribers. Users of the basic version of the messenger will only be able to send square videos.
Content and Community Quality
• The 🤡 reaction will become paid. Using the clown emoji in channels and chats will become a paid feature. By leaving this reaction under a post, users will automatically transfer 5 stars to its author.
• "Revolution" in channels. The audience will get the opportunity to impeach channel administrators for low-quality content and vote to transfer ownership rights to a new owner. To avoid abuse of the system, every vote will be subject to a fee.
• Telegram Premium for families. The team is testing a family subscription. However, at the moment, it is available only to Pavel Durov's biological children. As the company notes, "a large-scale beta test has already been launched, and the plan has become available to a hundred users."
#foolsday
Telegram's closed conference Telegram Summit 2026 concluded today, where the messenger's team presented revolutionary new features for the upcoming year. The @tginfo editors closely followed the presentation and have collected the most important announcements from the event.
AI Innovations
• Smart media compression. To save server space, photos and videos in old chats will be replaced with their brief text descriptions generated by an AI. If you need to view a deleted file, the messenger will recreate it from the text. In addition, all voice messages longer than three minutes will be forcibly transcribed, and their originals permanently deleted.
• Replacing the declining audience with AI agents. If your chat partner hasn't logged into the app for a month, the messenger will automatically create a language model based on their chat history that will continue to respond to new messages. The developers call this an innovative solution to the problem of empty contact lists: no one wants to use a messenger if they can't chat with their friends. This is especially relevant in Russia, where the user base is declining amid a ban on the messenger.
Media
• Static Videos. In addition to animated photos (Motion Photos), the messenger is working on support for Static Videos. The new feature is designed to improve the user experience in conditions of throttled internet.
• Square video messages. The classic "circles" will become an exclusive privilege for Telegram Premium subscribers. Users of the basic version of the messenger will only be able to send square videos.
Content and Community Quality
• The 🤡 reaction will become paid. Using the clown emoji in channels and chats will become a paid feature. By leaving this reaction under a post, users will automatically transfer 5 stars to its author.
• "Revolution" in channels. The audience will get the opportunity to impeach channel administrators for low-quality content and vote to transfer ownership rights to a new owner. To avoid abuse of the system, every vote will be subject to a fee.
• Telegram Premium for families. The team is testing a family subscription. However, at the moment, it is available only to Pavel Durov's biological children. As the company notes, "a large-scale beta test has already been launched, and the plan has become available to a hundred users."
#foolsday
2🤡237🎉21😡16❤11👎8🐳7🌚7👍6