Self-Destructing Messages on Telegram May Be Permanently Stored in macOS

The Telegram app on macOS was not deleting self-destructing messages properly from its cache.
This was fixed later on, but the recipient may still find them if they don’t open the files in the app.
Telegram refused to fix that scenario, seeing it as out of the software’s scope.

Telegram on the macOS reportedly has a nasty bug that lets self-destructing messages exchanged via the “secret chat” be retrievable from the app’s local cache, essentially beating the feature’s whole purpose. The vulnerability is present on Telegram 7.5 for macOS, sending any location, audio, video, or document files to the following directory and storing them there permanently:

“/Users/Admin/Library/GroupContainers/XXXXXXX.ru.keepcoder.Telegram/appstore/account-1271742300XXXXXX/postbox/media” (secret chat files are stored in the same directory with the prefix “secret-file-xxxxxx”)

Although these messages are getting deleted from the app’s interface as dictated by the self-destruct feature, those stored locally on the cache folder aren’t, so they’re available for recovery without requiring any authentication or decryption.

The researcher who discovered this flaw, Reegun Jayapaul, reported the problem to Telegram, but the developers of the popular privacy-focused instant messenger only partially fixed it. More specifically, they fixed the deletion that should follow a “Read” event with version 7.8.1 but didn’t address the possibility of the recipient going directly on the cache folder without opening the shared file on the app. This enables the recipient to get a permanent copy of the sent file while leaving the sender in the dark regarding whether their message was ever opened.

Telegram’s explanation for that to the researcher was the following:

Please note that the primary purpose of the self-destruct timer is to serve as a simple way to auto-delete individual messages. However, there are some ways to work around it that are outside what the Telegram app can control (like copying the app’s folder), and we clearly warn users about such circumstances on this FAQ page.

As the researcher points out, fixing this issue would be as simple as not allowing access to any cache files that haven’t been opened in the app first, so just treating them as “out of scope” isn’t the best approach here. This is a risk that senders of messages can do nothing to mitigate, so there’s no room for complacency by Telegram’s dev team.

And finally, the researcher informs us that Telegram offered him a bug bounty on the condition that he wouldn’t publicly disclose his findings. Because this wasn’t in line with the researcher’s and Trustwave’s policy around vulnerability discovery and remediation procedures, the bounty was declined, and a detailed blog post came out. That was particularly important in this case as Telegram’s fix only addresses the problem partially,