Well known messaging application Telegram set a privacy-defeating bug in its macOS application that made it doable to accessibility self-destructing audio and movie messages very long just after they disappeared from key chats.
The vulnerability was discovered by security researcher Dhiraj Mishra in version 7.3 of the application, who disclosed his findings to Telegram on December 26, 2020. The challenge has considering that been solved in model 7.4, released on January 29.
Unlike Signal or WhatsApp, discussions on Telegram by default are not finish-to-stop encrypted, until end users explicitly opt to allow a gadget-specific attribute named “solution chat,” which retains info encrypted even on Telegram servers. Also out there as component of magic formula chats is the possibility to ship self-destructing messages.
What Mishra discovered was that when a user data and sends an audio or online video concept through a standard chat, the software leaked the exact route where the recorded message is stored in “.mp4” format. With the solution chat option turned on, the route information and facts is not spilled, but the recorded concept still receives saved in the similar spot.
In addition, even in situations exactly where a consumer gets a self-destructing concept in a key chat, the multimedia message continues to be available on the procedure even just after the information has disappeared from the app’s chat display.
“Telegram states ‘super secret’ chats do not go away traces, but it merchants the area copy of these types of messages below a custom made route,” Mishra advised The Hacker News.
Individually, Mishra also discovered a 2nd vulnerability in Telegram’s macOS app that saved nearby passcodes in plaintext in a JSON file located below “/End users/
Mishra was awarded €3,000 for reporting the two flaws as part of its bug bounty plan.
Telegram in January hit a milestone of 500 million energetic monthly end users, in element led by a surge in buyers who fled WhatsApp adhering to a revision to its privateness coverage that involves sharing specified information with its company father or mother, Fb.
Though the service does provide consumer-server/server-customer encryption (using a proprietary protocol named “MTProto”) and also when the messages are saved in the Telegram cloud, it is really truly worth keeping in intellect that group chats present no stop-to-finish encryption and that all default chat histories are saved on its servers. This is to make discussions quickly accessible across devices.
“So if you are on Telegram and want a certainly non-public team chat, you are out of luck,” Raphael Mimoun, founder of the digital safety nonprofit Horizontal, explained very last thirty day period.