Telegram security teams announced the patching of a critical vulnerability that caused audio and video files, which were supposed to be self-destructed, to remain stored on macOS users’ devices. This flaw lies in the “secret chat” feature, which offers additional privacy features.
When using the secret chat feature in Telegram, chats are encrypted end-to-end and it is impossible to forward messages to other users, and any files sent through this feature will self-destruct after a set amount of time, so devices will not store any record of these conversations.
Cybersecurity specialist Dhiraj Mishra mentions that version 7.3 of the macOS device app was affected by a severe vulnerability in the secret chat feature that did not allow the deletion of these logs, which would be leaked from the sandbox path in which private files are stored.
Although the path would not be filtered in secret chats, the received media would remain stored in the same folder: “In my case, this path was /var/folders/x7/khjtxvbn0lzgjyy9xzc18z100000gn/T/,” the expert mentions. Mishra also mentions that while performing the same task in the secret chat option, the MediaResourceData(path://) URI was not filtered, even though the file remained stored in the previous path.
“When these files were deleted from the chat, the actual media log was still available in the device folder; Users A and B, communicating through the secret chat feature, can share multimedia messages and set a 20-second self-destruct period. However, even if the message is deleted after the deadline, the file remains under user A’s custom path, affecting user B’s privacy,” concludes the expert.
This is a flaw that could have seriously affected activists, political opponents in authoritarian regimes, journalists and others of interest, not to mention that any user of the platform could be compromised equally.
The expert also reported a security flaw that allowed store users’ local passwords in plain text; such information remained available in the Users/[username]/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram/accounts-metadata path, in the form of a JSON file.
Telegram received both reports in December 2020, so multiple security patches were included with the release of Telegram 7.4. The company rewarded Mishra’s reports with $3,000 USD. To learn more about computer security risks, malware, vulnerabilities and information technologies, feel free to access the International Cyber Security Institute (IICS) website.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.