Heads up Telegram users, especially the ones using it on macOS. The Telegram for macOS client had a serious security vulnerability that caused retention of self-destructing messages. The same client also stored passcodes in plaintext due to another flaw. Since the updates are out, make sure to update your devices with the latest app version.
Telegram for macOS Vulnerability
Security researcher Dhiraj Mishra found security issues affecting the Telegram for macOS client.
As elaborated in his blog post, he first found a vulnerability in Telegram for macOS affecting the self-destruct messages feature. Specifically, a fuzzy logic bug affected this feature that resulted in the retention of messages, including audios and videos, on a custom path on the local device.
It means that, while the self-destruct message would disappear from the app, it continued to exist locally.
Thus, it became possible for the recipient to simply search and retrieve the “self-destructed” messages from the device without the sender’s input or consent.
The following video demonstrates this problem.
Alongside this one, the researcher also discovered another vulnerability in the same Telegram client.
Specifically, he found that Telegram for macOS used to store local passcodes in plain text. Thus, an adversary with local access to a target device could easily retrieve the passcode and read the chats by simply querying a JSON file.
The following video serves as the proof-of-concept for this exploit.
Patch Rolled Out
Upon discovering the bugs, the researcher reported the matter to Telegram via their bug bounty program.
The vulnerabilities, CVE-2021-27204 and CVE-2021-27205, specifically affected the app version 7.3 (211334) Stable.
Following his report, Telegram fixed the vulnerabilities with the release of the app version 7.4 (212543) Stable. Also, the researcher won a 3000 EURO bounty for discovering these flaws.
Mac users with Telegram clients running on their devices must ensure updating their systems with the latest version immediately.