At the end of October \u201819 I was skimming the Telegram\u2019s android app code<\/a>, learning about the technologies in use and looking for potentially interesting features. Just a few months earlier, Telegram had introduced the animated stickers<\/a>; after reading the blogpost I wondered how they worked under-the-hood<\/em> and if they created a new image format for it, then forgot about it. Research is one of Shielder\u2019s pillars<\/strong> \u2013 head over to our research page<\/a> to learn more about our commitment to improve the security of the digital ecosystem.<\/p>\n What follows is my journey in researching the lottie animation format, its integration in mobile apps and the vulnerabilities triggerable by a remote attacker against any Telegram user<\/strong>. The research started in January 2020 and lasted until the end of August, with many pauses in between to focus on other projects.<\/p>\n During my research I have identified 13 vulnerabilities in total<\/strong>: 1 heap out-of-bounds write, 1 stack out-of-bounds write, 1 stack out-of-bounds read, 2 heap out-of-bound read, 1 integer overflow leading to heap out-of-bounds read, 2 type confusions, 5 denial-of-service (null-ptr dereferences).<\/p>\n All the issues I have found have been responsibly reported to and fixed by Telegram<\/strong> with updates released in September and October 2020:<\/p>\n Those updates include the fixes (the other types of clients are not affected by the vulnerabilities I have identified) \u2013 basically if you have updated your Telegram client in the last 4 months you are safe<\/strong>. If not, I recommend you to update it as soon as possible.<\/p>\n Let\u2019s start from the original Lottie project by Airbnb, from airbnb.io\/lottie<\/a>:<\/p>\n Lottie is a library for Android, iOS, Web, and Windows that parses Adobe After Effects animations exported as json with Bodymovin and renders them natively on mobile and on the web!<\/p>\n<\/blockquote>\n \u201cAs json<\/strong>\u201d is particularly interesting here, I was expecting some tricky 90\u2019s proprietary binary specification but instead they chose to use one of the most common and simple formats to date. (This got me also wondering whether memory corruptions would be harder to find, but it was too early to tell!)<\/p>\n As we have read, a Lottie animation is defined as a JSON with some information such as the frame rate \u201cfr<\/strong>\u201d and the version identifier \u201cv<\/strong>\u201d at its root, while most of the juicy features lie in the \u201clayers<\/strong>\u201d array.<\/p>\n At its minimum, a Lottie animation looks like this:<\/p>\n
\nBack to the skimming, I stumbled upon the rlottie<\/strong> folder<\/a> and started googling. It turned out to be the Samsung native library<\/a> for playing Lottie animations, originally created by Airbnb<\/a>. I don\u2019t know about you but the combination of Telegram<\/strong>, Samsung<\/strong>, native<\/strong> and animations<\/strong> instantly triggered my interest in learning more \ud83d\udc40.<\/p>\nExecutive summary<\/h2>\n
\n
Table of contents<\/h2>\n
\n
\n
\n
Lottie by Airbnb<\/h2>\n
\n