Do Son 
A cybersecurity enthusiast from Russia reported a critical vulnerability in the Telegram messenger, which, in his opinion, could have allowed unauthorized access to user accounts even without a cloud password or two-factor authentication. The alleged flaw surfaced during authorization via the Telegram widget on third-party websites, particularly when accessed through the messenger’s embedded browser.
According to the researcher, such authorizations could create elevated-privilege sessions that remained invisible to account owners. As protective measures, he advised users to clear the history of Telegram’s internal browser, terminate all suspicious web sessions, delete cookies, and review the list of connected websites and bots. In some cases, he even recommended recreating the account entirely.
However, Telegram officially refuted the existence of any such vulnerability. In response to the report, the company’s specialists explained that the researcher had misinterpreted the mechanisms governing different types of authorizations. According to Telegram, the authorization token used in widgets is not linked to full Telegram Web sessions and cannot be exploited to access conversations or account data.
The company emphasized that widget-based authorizations create limited sessions intended solely for interaction with specific websites—for purposes such as voting or commenting. These sessions are displayed within the device settings section and are accompanied by notifications in Telegram, allowing users to terminate them immediately.
Telegram further clarified that the data transmitted through the Login Widget includes only public profile information—such as name, username, and profile photo—and never grants access to private messages, calls, or secret chats.
Additionally, all sessions, including those initiated through widgets, can be manually revoked by the user within the settings menu. No recent changes have been made to the authorization system, and the architecture remains unchanged.
Telegram also noted that to capture a web session or obtain an authorization token, an attacker would require physical access to the user’s device or browser.
Thus, the company’s official position is that the alleged vulnerability does not exist, and the operation of the widgets fully aligns with the originally established security model.
