Security

Self-Destructing Messages on Telegram May Be Permanently Stored in macOS

By Bill Toulas / August 6, 2021
Critical Vulnerability in Telegram Leaks User IP Addresses

Telegram on the macOS reportedly has a nasty bug that lets self-destructing messages exchanged via the “secret chat” be retrievable from the app’s local cache, essentially beating the feature’s whole purpose. The vulnerability is present on Telegram 7.5 for macOS, sending any location, audio, video, or document files to the following directory and storing them there permanently:

“/Users/Admin/Library/GroupContainers/XXXXXXX.ru.keepcoder.Telegram/appstore/account-1271742300XXXXXX/postbox/media” (secret chat files are stored in the same directory with the prefix “secret-file-xxxxxx”)

Although these messages are getting deleted from the app’s interface as dictated by the self-destruct feature, those stored locally on the cache folder aren’t, so they’re available for recovery without requiring any authentication or decryption.

The researcher who discovered this flaw, Reegun Jayapaul, reported the problem to Telegram, but the developers of the popular privacy-focused instant messenger only partially fixed it. More specifically, they fixed the deletion that should follow a “Read” event with version 7.8.1 but didn’t address the possibility of the recipient going directly on the cache folder without opening the shared file on the app. This enables the recipient to get a permanent copy of the sent file while leaving the sender in the dark regarding whether their message was ever opened.

Telegram’s explanation for that to the researcher was the following:

Please note that the primary purpose of the self-destruct timer is to serve as a simple way to auto-delete individual messages. However, there are some ways to work around it that are outside what the Telegram app can control (like copying the app’s folder), and we clearly warn users about such circumstances on this FAQ page.

As the researcher points out, fixing this issue would be as simple as not allowing access to any cache files that haven’t been opened in the app first, so just treating them as “out of scope” isn’t the best approach here. This is a risk that senders of messages can do nothing to mitigate, so there’s no room for complacency by Telegram’s dev team.

And finally, the researcher informs us that Telegram offered him a bug bounty on the condition that he wouldn’t publicly disclose his findings. Because this wasn’t in line with the researcher’s and Trustwave’s policy around vulnerability discovery and remediation procedures, the bounty was declined, and a detailed blog post came out. That was particularly important in this case as Telegram’s fix only addresses the problem partially,


Add a Comment
Related Posts

Apple Mail Has Been Exposing Encrypted Email Content Since July


November 9, 2019

Researcher Warns of a macOS Vulnerability that Apple Refuses to Fix


May 25, 2019

Google Engineers Disclose “High Severity” Flaw in macOS Kernel


March 5, 2019

ProtonVPN Brings OpenVPN to iOS (Currently Available in Beta)


January 29, 2020

A Telegram Bot Is Giving Away the Phone Numbers of 500 Million Facebook Users


January 26, 2021

French Competition Regulator Rejects Advertising Group’s Concerns on Apple’s Privacy Features


March 17, 2021

© TechNadu 2024. All Rights Reserved.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari