Telegram users on macOS are being warned about possible privacy concerns that could expose files they share with others. According to Reegun’s findings, According to Trustwave SpiderLabs’ principal threat architect, Richard Jayapaul, the self-destruct mechanism of the privacy-focused app can be disabled in order to store files forever.
The first problem was that any media files transferred over Telegram were saved in a cache folder long after the message had self-destructed. According to Jayapaul, this meant that a hacker could still access those items, whether they were audio, video communications, shared locations, or documents. Telegram repaired the problem, but the facts are only now being revealed because Jayapaul declined a reward from Telegram, which wanted him to keep the information secret as part of a bug bounty contract that provided a monetary incentive for his efforts.
It’s also the second time this year that a researcher discovered files weren’t being removed properly during Telegram’s self-destructing chats, the first being corrected in version 7.4. Version 7.7 included the most recent update. “It appears that Telegram has a habit of leaving these ostensibly ‘self-destructing’ media files behind,” stated Karl Sigler, Trustwave SpiderLabs Senior Security Research Manager.
Telegram has failed to address a second flaw, which allows users to avoid the self-destruct feature by retrieving a file from the cache folder without ever reading the message. Of course, snapshots or screen recordings might be used, but going into the cache makes it appear to the sender that the receiver hasn’t glanced at the message, keeping them in the dark about whether or not they have the contents.
“The self-destruct feature is intended to be a simple way for users to send media that will delete itself. We warn users that they should use this only with people they trust, as there is no way for software to 100% prevent someone from saving a version of messages or media—such as simply taking a photo of their screen with another device,” a Telegram spokeswoman said, pointing to a page with customer support information.