CVE-2020-10570: 
NixOS vulnerability analysis and mitigation

The Telegram application through version 5.12 for Android contained a security vulnerability (CVE-2020-10570) that affected the passcode feature when Show Popup was enabled. The vulnerability was discovered in October 2019 and was patched in version 5.13, released in December 2019. The issue affected the privacy protection mechanisms of the application's passcode feature (Github Advisory).

The vulnerability arose from a conflict between the popup notification feature and the passcode protection mechanism in Telegram for Android. When Show Popup was enabled, it created a condition that could potentially undermine the passcode protection. The vulnerability received a CVSS v3.1 Base Score of 6.1 (MEDIUM) with a vector string of CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating that physical access was required for exploitation (NVD).

The vulnerability could allow physically proximate attackers to bypass intended restrictions on message reading and message replying, effectively circumventing the passcode feature's privacy protections. This could lead to unauthorized access to user messages and communication when an attacker had physical access to the device (NVD).

The vulnerability was patched in Telegram version 5.13 for Android, released in December 2019. Users were advised to update to this version or later to protect against this security issue (Github Advisory).

The vulnerability was responsibly disclosed to Telegram on October 10, 2019. The vendor acknowledged the issue on November 19, 2019, and subsequently patched it in version 5.13. The researcher received a bounty payment on January 14, 2020, indicating the vendor's recognition of the security finding (Github Advisory).