Not-so-smart home www.kaspersky.com/blog/vuln…

Our experts at GReAT have uncovered a dangerous vulnerability in a smart-home control app that allowed attackers to disable physical security systems.

This vulnerability stemmed from the app sending sensitive data during its logging process. The developers used the Telegram Bot API to collect analytics and send debug information files from users to a private development-team chat via a Telegram bot.

Recently, logging events via Telegram has become increasingly popular. It’s convenient and fast to receive important notifications in messenger. However, this approach requires caution: we recommend not to forward sensitive data in the application logs, and, in addition, to prohibit copying and forwarding content from the group in Telegram settings or use the protect_content parameter when sending a message through a Telegram bot.