A security researcher discovered that one of Telegram’s features on macOS that should have guaranteed complete privacy by destroying the information sent by users wasn’t working as intended. Telegram is an instant messaging application with support for all major operating systems, including macOS.
While the app developers don’t boast of default end-to-end encryption for messages, they do offer a feature called ‘secret chat.’ Users have to specifically enable it, though, and it’s only available for two participants, not for groups. In this case, the exchanged data, video and audio files, data remains on devices even if the original message is “destroyed” by the app.
The inability to guarantee that the app has erased a file sent through the secret chat feature is not a good outcome. As security researcher Dhiraj Mishra points out, Telegram explains clearly how the feature is supposed to work:
“The clock starts ticking the moment the message is displayed on the recipient’s screen (gets two check marks). As soon as the time runs out, the message disappears from both devices,” says Telegram.
But the developer discovered that the app stored files on the device and didn’t delete them as it should.
“Open telegram for macOS, send a recorded audio/video message in normal chat, the application leaks the sandbox path where the recorded message is stored in ‘.mp4’ file,” said Dhiraj. When the sameprocess is followed in the secret chat, the app didn’t leak the URL, but Telegram stored the files in the same place.
The researcher also discovered a second vulnerability as the same version of Telegram on macOS stored local passcodes in plain text. Telegram fixed both of these vulnerabilities in the 7.4 (212543) Stable version and awarded the researcher a €3,000 bounty.