The vulnerability could affect about 1 billion people who use the popular chat app. Michael DePlante, a researcher with the Trend Micro Zero Day Initiative (ZDI), found the flaw. ZDI gave it a 9.8 CVSS score, but on Monday they lowered it to a high-severity 7.0.

Telegram, on the other hand, went to the social media site X to say that the flaw doesn't even exist. This is because the flaw is already causing a lot of trouble and worry on social media and security blogs. "The attack vector is surprisingly simple: animated stickers," Carolina Vivianti, an independent cybersecurity consultant and adviser, wrote in a blog post on Red Hot Cyber.

Viviante said that the flaw doesn't require a user to click or open anything in their Telegram session for it to work. This is because the system processes the files to make previews, and this is when the attack happens. If Telegram doesn't change its mind about the flaw, the public probably won't know until July if it really exists and is as dangerous as ZDI thinks it is.

For now, Telegram users should install all app updates as they come out in the next few months. Vivianti says that for most people, turning off automatic downloads isn't enough. They should either uninstall the app for a short time or use the Web version of Telegram in a browser that is up to date.

ZDI says that the CVSS score for the Telegram vulnerability has dropped from 9.8 to 7.0. This means that the CVSS score for the vulnerability has dropped from 9-9 to 9-7.8. Security company McAfee first reported the flaw on March 29, and ZDI and other security experts have since confirmed it.

We don't know if the weakness is the same one that McAfee talked about.