Are you using Telegram? If so, you should know that the messaging app fixed a privacy-related vulnerability in the macOS app. The bug made it possible to access self-destructing audio and video messages even after they were gone from secret chats.
Telegram contained a privacy vulnerability in its macOS app
The bug, discovered by Dhiraj Mishra, resided in version 7.3 of Telegram for macOS. Fortunately, the issue is already patched in version 7.4, which was released at the end of January.
“Telegram which has 500 million active users suffers from a logical bug exists in telegram for macOS (7.3 (211334) Stable) which stores the local copy of received message (audio/video) on a custom path even after those messages are deleted/disappeared from the secret chat,” the researcher wrote.
The researcher discovered that if a user opens Telegram on macOs to send a recorded audio or video message in a normal chat, the app would leak the sandbox path where the recorded message is stored in a “.mp4” file. If the user performs the same action in a normal chat, the message would be stored on the same path.
Mishra created a video proof-of-concept in which “the user receives a self-destructed message in the secret chat option, which gets stored even after the message is self-destructed.”
Telegram suffered a data breach in 2020
This is not the first case of Telegram being involved in a privacy incident. Last year, hackers accessed the internal databases of Telegram, and the personal information of millions of users.
The breach was discovered after the database and information about its contents was posted on an underground forum. The file contained the phone numbers of users alongside with their unique Telegram user IDs.
The breach was caused by a vulnerability in the application’s contact export feature, accessible when a new registration for a user is made. Threat actors were able to use it in order to hijack the information.