A new vulnerability in Telegram WebK versions below 2.0.0 allows threat actors to hijack user sessions using XSS, where attackers can save victim's session IDs in JS local storage
The XSS vulnerability is triggered via the web_app_open_link event type, exploited through a Bot+Mini App with a malicious website link. Telegram swiftly patched this by adding safeWindow URL to prevent Referer header leaks, advising users to upgrade to WebK 2.0.0 (488) to avoid exploitation. https://cybersecuritynews.com/telegram-web-app-xss-vulnerability-hijack-sessions/