Dhiraj Mishra, a security researcher, has shared with Bleeping Computer interesting findings of two security bugs in the now-fixed Telegram messenger app for macOS. These issues made the app fail to properly remove self-destruct media in Secret chats and to store local passcode in plain text.
The first issue relates to the mechanism of self-destructing media in Secret chats (these are secured with end-to-end encryption chats that do not sync between devices). This feature's main idea is to "safely" send a file that will automatically and completely disappear without any trace from a recipient's device after a specified time.
As it turns out, Telegram had been leaking a path to sandbox storage where it keeps received media from both regular and secret chats. It was relatively easy to extract this path and get the media's copies even after the app deleted all the received self-destructing files. You can watch Dhiraj Mishra demonstrating this bug in the video below.
A researcher also found that Telegram for macOS had been storing a local password in plain text as a JSON file. Again, you can see this bug in action in the video from Dhiraj.
Dhiraj notified Telegram of his findings on December 26, 2020, and the developers quickly fixed them in Telegram 7.4. They also awarded the researcher a $3,000 bounty.
In 2021, Telegram experiences large user migration from WhatsApp after the latter found itself in another privacy scandal. With more eyes on Telegram and its privacy-protection policies, it is not surprising that researchers find previously unknown bugs and issues. The good thing is that developers quickly respond and fix these bugs. Still, this story shows that even the best services are not immune to bugs and mistakes.
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options: