Critical Telegram flaw allows the leaking of sensitive files; private images and videos exposed

Telegram security teams announced the patching of a critical vulnerability that caused audio and video files, which were supposed to be self-destructed, to remain stored on macOS users’ devices. This flaw lies in the “secret chat” feature, which offers additional privacy features.

When using the secret chat feature in Telegram, chats are encrypted end-to-end and it is impossible to forward messages to other users, and any files sent through this feature will self-destruct after a set amount of time, so devices will not store any record of these conversations.

Cybersecurity specialist Dhiraj Mishra mentions that version 7.3 of the macOS device app was affected by a severe vulnerability in the secret chat feature that did not allow the deletion of these logs, which would be leaked from the sandbox path in which private files are stored.

Although the path would not be filtered in secret chats, the received media would remain stored in the same folder: “In my case, this path was /var/folders/x7/khjtxvbn0lzgjyy9xzc18z100000gn/T/,” the expert mentions. Mishra also mentions that while performing the same task in the secret chat option, the MediaResourceData(path://) URI was not filtered, even though the file remained stored in the previous path.

“When these files were deleted from the chat, the actual media log was still available in the device folder; Users A and B, communicating through the secret chat feature, can share multimedia messages and set a 20-second self-destruct period. However, even if the message is deleted after the deadline, the file remains under user A’s custom path, affecting user B’s privacy,” concludes the expert.

This is a flaw that could have seriously affected activists, political opponents in authoritarian regimes, journalists and others of interest, not to mention that any user of the platform could be compromised equally.

The expert also reported a security flaw that allowed store users’ local passwords in plain text; such information remained available in the Users/[username]/Library/Group Containers/ path, in the form of a JSON file.

Telegram received both reports in December 2020, so multiple security patches were included with the release of Telegram 7.4. The company rewarded Mishra’s reports with $3,000 USD. To learn more about computer security risks, malware, vulnerabilities and information technologies, feel free to access the International Cyber Security Institute (IICS) website.