A serious bug in Telegram for Mac client could allow users to save self-destructing messages and media. This bug would work for all media files such as videos, audio, documents, and image files. The intended recipient would save the message even without actually opening them.
Telegram For Mac Bug To Save Self-Destructing Messages
A researcher from Trustwave SpiderLabs has found a serious privacy issue with Telegram for Mac. Exploiting the bug would allow storing media files even after deletion as well as the self-destructing messages.
As elaborated in its blog post, the glitch existed in the Secret Chat feature of the Telegram Mac client. As a standard, Secret Chat is the end-to-end encrypted chatting feature that allows the sender to send self-destructing messages as well. Although the self-destructing feature exists for regular chats too, for Secret Chats, it doesn’t involve the Telegram servers.
That’s where the bug appeared.
The researchers found that the media files shared in Secret Chats would get stored in a cache folder on the recipient’s device. Hence, in the case of self-destructing messages, the recipient could retrieve the media files from the cache folder even after it gets deleted from the chat.
This gets worse if the receiver retrieves the media directly from the local storage without opening the file from the chat. This retrieval was possible even after the self-destruct timer removes the file from the chat. According to the researcher,
Bob sends a media message to Alice (whether voice recordings, video messages, images, or location sharing). Without opening the message, since it may self-destruct, Alice instead goes to the cache folder and grabs the media file. She can also delete the messages from the folder without reading them in the app. Regardless, Bob will not know whether Alice has read the message, and Alice will retain a permanent copy of the media.
The following video demonstrates the PoC exploit.
Telegram Fixed The Vulnerability
Upon discovering the vulnerability, the researcher reported it to Telegram officials. The bug precisely existed in macOS Telegram version 7.5.
Following the report, Telegram partially fixed the vulnerability with the release of macOS Telegram version 7.8.1. This addresses the issue where the receiver would retrieve the deleted media file after reading it from the chat. All it takes is visiting the following path to locate the “secret-file-xxxxxx”. (The ‘x’ sequence refers to the unique user ID.)
However, the problem still exists and is exploitable since Telegram hasn’t addressed the lack of control to the cache folder. In this regard, Telegram responded to the researcher,
Please note that the primary purpose of the self-destruct timer is to serve as a simple way to auto-delete individual messages. However, there are some ways to work around it that are outside what the Telegram app can control (like copying the app’s folder), and we clearly warn users about such circumstances: https://telegram.org/faq#q-can-telegram-protect-me-against-everything”
Whereas, the researcher believes it’s a simple fix that merely requires preventing the file from getting stored locally unless the recipient reads the message.
It’s unclear if Telegram would ever address this issue in the future.
The service also offered a bug bounty to the researcher for reporting this flaw. However, availing of the bounty would hinder public disclosure that the researcher deemed important. Hence, he refused the bounty and went ahead to make this issue public.