Telegram Web behaves maliciously to automatically log me in

Upstate1618

Description: Telegram Web can communicate with Telegram app without permission prompt.

Steps:

Log in Telegram app
In Vanadium, set 2 split Local Network permission to Ask
Open a new Vanadium incognito tab. Browse https://web.telegram.org (Telegram Web)

Expected result: Without permissions, Telegram Web shouldn't communicate with Telegram app. It shouldn't know what my Telegram account is.

Actual Result: Without asking for Local Network Access permissions, Telegram Web automatically logs me in with the same account used in the Telegram app. It didn't even ask for my phone number or password. It just logs me in smoothly.

Analysis: the first possibility is that LNA permissions are broken and would silently allow websites to access localhost network. The second possibility is that Telegram Web uses an unknow method to precisely identify my Telegram account, which should be viewed as an exploit.

Environment: husky, Vanadium 147.0.7727.101

Question: How does Telegram Web knows what my Telegram app account is without me providing phone number?

Roaming4231

It didn't log me in automatically now. Maybe you login earlier and forgot? Can u recreate this behavior? Clean all site data and open it again.

Upstate1618

The issue has been resolved. When opening https://web.telegram.org from Telegram app, the app would silently append an authentication string to the end of the link, which serves as username+password.