Telegram messages aren't end-to-end encrypted by default, except of course the user explicitly enables a device-specific feature called "secret chat" which also keeps the data encrypted on Telegram servers.

However, Dhiraj Mishra, a security researcher discovered a bug in Telegram version 7.3, albeit the issue has been fixed in subsequent version 7.4, released on January 29. The privacy-bug resides in its macOS app and makes it possible to access any self-destructing audio and video message long after disappearing from secret chat.

While there are several security and privacy measures in Telegram, but it fails again in terms of securing the users data.

How Self-Destructing Media Files still remains On Device after end of Secret Chat



If a Telegram user records and sends a video or audio message through the regular chat, the Telegram app leaks the exact path where the message is stored in an ".mp4" format and the path information isn't revealed if the secret chat option turned on, but the recorded message is stored in the same location.



And the person that receives a self-destructing message in a secret chat will have the multimedia message accessible on the system even after the message has gone from the chat screen.

In the proof-of-concept video the user receives self-destructed message in secret chat, which is stored even after the message has self-destructed. The version of the app for macOS is what is susceptible to the vulnerability and also stores passcode in plain text. Both the vulnerabilities were patched in version 7.4 (212543) Stable with a €3,000 bounty awarded to Dhiraj Mishra.

What Telegram users should do about the Vulnerabilities



If you're a Telegram user on macOS and cares about your privacy, you should update your app now to Telegram version 7.4 (212543) Stable, but bear in mind that that group chats still offer no end-to-end encryption with all default chat histories stored on Telegram's servers.

Therefore, if you want a truly private group chat, you should consider Signal Messenger as an alternative with all chats end-to-end encrypted. But, despite the privacy shortcoming, Telegram still recorded a milestone of 500 million active monthly users in January.

Telegram Bug leaves Self-Destructing Audio and Video messages on Device

Telegram messages aren't end-to-end encrypted by default, except of course the user explicitly enables a device-specific feature called "secret chat" which also keeps the data encrypted on Telegram servers.

However, Dhiraj Mishra, a security researcher discovered a bug in Telegram version 7.3, albeit the issue has been fixed in subsequent version 7.4, released on January 29. The privacy-bug resides in its macOS app and makes it possible to access any self-destructing audio and video message long after disappearing from secret chat.

While there are several security and privacy measures in Telegram, but it fails again in terms of securing the users data.

How Self-Destructing Media Files still remains On Device after end of Secret Chat



If a Telegram user records and sends a video or audio message through the regular chat, the Telegram app leaks the exact path where the message is stored in an ".mp4" format and the path information isn't revealed if the secret chat option turned on, but the recorded message is stored in the same location.



And the person that receives a self-destructing message in a secret chat will have the multimedia message accessible on the system even after the message has gone from the chat screen.

In the proof-of-concept video the user receives self-destructed message in secret chat, which is stored even after the message has self-destructed. The version of the app for macOS is what is susceptible to the vulnerability and also stores passcode in plain text. Both the vulnerabilities were patched in version 7.4 (212543) Stable with a €3,000 bounty awarded to Dhiraj Mishra.

What Telegram users should do about the Vulnerabilities



If you're a Telegram user on macOS and cares about your privacy, you should update your app now to Telegram version 7.4 (212543) Stable, but bear in mind that that group chats still offer no end-to-end encryption with all default chat histories stored on Telegram's servers.

Therefore, if you want a truly private group chat, you should consider Signal Messenger as an alternative with all chats end-to-end encrypted. But, despite the privacy shortcoming, Telegram still recorded a milestone of 500 million active monthly users in January.

No comments