Telegram is one of the most-trusted apps when it comes to private messaging. Therefore, any security or privacy bug arising in the app is certainly worth noting. Recently, a researcher spotted a privacy bug in Telegram that could expose pictures and videos from messages that were previously deleted.
Privacy Bug Found In Telegram
Security researcher Dhiraj Mishra discovered a serious privacy bug in Telegram app. According to his findings, there was a privacy issue that could expose unsent media to other users
Stating about the problem in his blog post, he explained that the issue existed in Telegram’s feature of deleting sent media. For instance, if a user inadvertently sends a picture or video to another user, he can delete the sent message. However, due to the bug, it became possible for the recipient to still retrieve the deleted media from the internal storage of the device.
It was observed that once the message (image) is sent to the recipient, it still remains in the internal storage of the user which is located at
/Telegram/Telegram Images/
path.
It means that the delete message feature only worked for the chat window of the app.
He has also shared a PoC of the bug in a video.
Mishra also explained that the bug further posed a threat in case of Telegram subgroups. In this case, the deleted media would be available to all users.
The researcher tested Telegram for Android to discover this bug. Though, he assumes the possible existence of the bug on iOS and Windows versions as well.
Telegram Released A Fix
After discovering the bug, Mishra shared his findings with TechCrunch. Both the researcher and TechCrunch reached out to Telegram to report the matter.
The vulnerability has received the CVE number CVE-2019-16248 with a high-severity rating. The vulnerability description describes the bug as a misleading UI indication.
The “delete for” feature in Telegram before 5.11 on Android does not delete shared media files from the Telegram Images directory. In other words, there is a potentially misleading UI indication that a sender can remove a recipient’s copy of a previously sent image (analogous to supported functionality in which a sender can remove a recipient’s copy of a previously sent message).
Fortunately, Telegram released a fix for this with Telegram version 5.11. In addition, they also awarded a bounty of €2,500 to the researcher for this report.
While this vulnerability does not affect WhatsApp, earlier, researchers highlighted a media file jacking vulnerability in Telegram that affected WhatsApp as well.
Let us know your thoughts in the comments.