Last weekend, I spent some time exploring the web version of Telegram at
web.telegram.org/k. My goal? To figure out how Telegram handles the display of gifts. (For context, Telegram lets you buy animated sticker gifts and send them to your friends!)
I wanted to see if Telegram made it impossible to download these animations for reuse. At first, I thought they had nailed the security… but after digging a little deeper, I realized that wasn’t entirely the case.
The web version of Telegram uses a Lottie Viewer to display the animations. Lottie creates an HTML5 canvas to render the animations, so when you inspect the gift, all you see is an animation canvas. Nothing that looks downloadable, right?
But as I kept digging, I stumbled upon a very interesting piece of code:
async function extractJson(tgsUrl: string) {
const response = await fetch(tgsUrl);
const contentType = response.headers.get('Content-Type');
if (contentType?.startsWith('text/')) {
return response.text();
}
const arrayBuffer = await response.arrayBuffer();
return inflate(arrayBuffer, { to: 'string' });
}
You see what I see? Yep, I should’ve checked the page’s network requests right from the start!!
Turns out, Telegram Web directly fetches the .tgs files from its backend. By opening the
Network tab in the browser inspector, I noticed a request being made for each gift to retrieve the .tgs file. These files are then turned into animations by their Lottie Viewer.
The result? I simply downloaded these .tgs files to get the animations. Not so hard after all, once you know where to look!
👀 Now, is this a mistake on their part? A flaw? Or just how it’s supposed to work because these animation files aren’t meant to be inaccessible? Honestly, I’m not sure. Maybe Telegram doesn’t see it as an issue that the .tgs files are downloadable.
🤷♂️ Interestingly, when I checked the web version again this morning, I noticed that the
Send Gifts option had been removed. Was this their fix for the problem? Or just a coincidence? Who knows!
😅