Popular messaging app Telegram fixed a privacy-defeating bug in its macOS app that made it possible to access self-destructing audio and video messages long after they disappeared from secret chats.
The vulnerability was discovered by security researcher Dhiraj Mishra in version 7.3 of the app, who disclosed his findings to Telegram on December 26, 2020. The issue has since been resolved in version 7.4, released on January 29.
Unlike Signal or WhatsApp, conversations on Telegram by default are not end-to-end encrypted, unless users explicitly opt to enable a device-specific feature called “secret chat,” which keeps data encrypted even on Telegram servers. Also available as part of secret chats is the option to send self-destructing messages.
What Mishra found was that when a user records and sends an audio or video message via a regular chat, the application leaked the exact path where the recorded message is stored in “.mp4” format. With the secret chat option turned on, the path information is not spilled, but the recorded message still gets stored in the same location.
In addition, even in cases where a user receives a self-destructing message in a secret chat, the multimedia message remains accessible on the system even after the message has disappeared from the app’s chat screen.
“Telegram says ‘super secret’ chats do not leave traces, but it stores the local copy of such messages under a custom path,” Mishra told The Hacker News.
Separately, Mishra also identified a second vulnerability in Telegram’s macOS app that stored local passcodes in plaintext in a JSON file located under “/Users/<user_name>/Library/Group Containers/<*>.ru.keepcoder.Telegram/accounts-metadata/.”
Mishra was awarded €3,000 for reporting the two flaws as part of its bug bounty program.
Telegram in January hit a milestone of 500 million active monthly users, in part led by a surge in users who fled WhatsApp following a revision to its privacy policy that includes sharing certain data with its corporate parent, Facebook.
While the service does offer client-server/server-client encryption (using a proprietary protocol named “MTProto“) and also when the messages are stored in the Telegram cloud, it’s worth keeping in mind that group chats offer no end-to-end encryption and that all default chat histories are stored on its servers. This is to make conversations easily accessible across devices.
“So if you are on Telegram and want a truly private group chat, you’re out of luck,” Raphael Mimoun, founder of the digital security nonprofit Horizontal, said last month.