A security researcher recently discovered and reported to the public a vulnerability in Telegram for macOS that could expose users’ self-destruct messages.
By design, Telegram secret chats rely on end-to-end encryption and should provide bullet-proof security and privacy of chat histories to concerned users. These messages can be read only by the sender and receiver. Even Telegram’s administrators don’t have the encryption keys to read them.
However, Trustwave’s researcher Reegun Jayapaul identified privacy flaws in Telegram’s self-destruct chat messages. Thanks to these flaws, anyone can retrieve audio and video messages, shared locations, and even files, after the self-destruct feature works on both devices, Reegun says in his report.
Telegram on macOS Contains a Self-Destruct Chat Vulnerability
According to the researcher, the flaw exists in macOS Telegram version 7.5.
By default, media files, except attachments, sent to Telegram are downloaded to a specific location – a cache folder. How can the vulnerability be exploited?
The researcher came up with the following scenario, involving two made-up users, Bob and Alice. In this scenario, both users end up being exposed:
Scenario 1: Audio, Video, Attachments, Shared Location leaks even after self-destructing on both devices
Bob sends a media message to Alice (again, whether voice recordings, video messages, images, or location sharing). Once Alice reads the message, the messages will be deleted in the app as per the self-destruct feature. However, the files are still stored locally inside the cache folder available for recovery.
A second scenario exploiting the vulnerability also exists, in which only Bob is exposed:
Scenario 2: Audio, Video, Attachments, Shared Location leaks without opening or deleting
Bob sends a media message to Alice (whether voice recordings, video messages, images, or location sharing). Without opening the message, since it may self-destruct, Alice instead goes to the cache folder and grabs the media file. She can also delete the messages from the folder without reading them in the app. Regardless, Bob will not know whether Alice has read the message, and Alice will retain a permanent copy of the media.
Has Telegram fixed the vulnerability?
The researcher got in touch with Telegram, and the company was eager to fix the issue in the first scenario. However, Telegram declined to fix the second issue that involves caching. Instead, the company shared some workarounds for the self-destruct timer that are outside what the app can control. Furthermore, Telegram says it has warned users about this on their official FAQ page.
Jayapaul, however, believes there is a simple fix. “If you attach media files to a message, the attachments cannot be accessed in the cache prior to clicking the message. Only after the message is opened in the app are the attachments downloaded and then deleted after the timer,” the researcher says.
It is also noteworthy that Jayapaul declined to receive a bug bounty for his discovery. Instead, he chose to go public with the disclosure. “It is essential for the public in a variety of ways. Because of these concerns and my commitment to information security, I have declined the bug bounty in exchange for disclosure,” he explains.
Previous Telegram flaws
Earlier this year, security researchers reported the abundance of one-click vulnerabilities in multiple popular software apps, Telegram included, allowing threat actors to perform arbitrary code execution attacks.
It is also mention-worthy that, in February, security researcher Dhiraj Mishra discovered that Telegram contained a privacy vulnerability in its macOS app.
The bug resided in version 7.3 of Telegram for macOS.