Telegram: A loophole in the macOS version of Telegram allows recovering temporary messages sent with the “self-destruct” feature. The problem was discovered by Reegun Richard Jayapaul, lead architect at Trustwave SpiderLabs.
According to the expert, a flaw makes it possible to access the supposedly deleted content on the sender’s and recipient’s devices. In this way, the vulnerability could be exploited in two ways.
The first flaw exposed the media files sent by Telegram that were stored in the cache folder, even self-destruct messages. An attacker could then access deleted audio, video, photos, and other documents.
The second vulnerability is the possibility of bypassing the self-destruct timer by taking the file directly from the cache folder. In this case, the recipient does not need to open the message for the media to be transferred to the folder.
Although Telegram fixed the first issue, the company refused to fix the second bug. So, the expert gave up the reward and confidentiality agreement for finding the loopholes and exposed the case.
“Disclosure is an important part of the vulnerability discovery and remediation process. Because of my commitment to information security, I refused the reward in exchange for disclosure,” said Jayapaul.
In a statement, Telegram said the self-destruct feature is a simple way for users to upload media that will be automatically deleted. However, the functionality is subject to failure.
“We advise in our FAQ that the feature should only be used with people you trust, as there is no way the app can 100% prevent someone from saving a version of the content, like simply capturing the screen with another device,” said the spokesperson.
Finally, the company recognizes the researchers’ contribution to improving the messenger’s security features. As well, Telegram is open to receiving suggestions that may bring additional solutions.