A security vulnerability in the macOS version of Telegram has been patched which prevented audio and video conversations set to ‘self-destruct’ from being deleted locally.
The researcher who found the issue, Dhiraj Mishra, disclosed his findings on February 11. In a technical blog post, Mishra described the vulnerability as a “failure” in how the secure messaging app handles user data.
Mishra first began exploring Telegram in 2018 so had a “clear idea” of how the messaging application works, he told The Daily Swig, and decided to investigate further as the app now accounts for more than 500 million active users.
Fuzzy logic
The logic bug, present in Telegram for macOS 7.3’s stable release, prevented self-destructing messages from being deleted during secret chats.
The macOS software leaks the MediaResourceData(path://) sandbox path when video and audio messages are sent in normal conversation boxes. If this type of content is set to self-destruct, it is still stored in either .mp4 or .mov format and remains available locally.
After making a note of this local address, Mishra then examined secret chat functionality. The URL is not leaked, but recorded audio or video messages are still stored and made available by accessing the same path.
Due to this logic issue, if two people, A an B, communicate using the secret chat option and A sends a message with a self-destruct timer, B could still grab this content by following the sandbox path, leading to a potential privacy failure for A.
A proof-of-concept (PoC) video has been published showcasing the exploit in action:
The researcher also found that Telegram for macOS stored local passcodes in plain text and without any encryption or protection in place.
A JSON file can be queried to display the passcode, potentially allowing an attacker with access to a local system to read conversations on the app.
Coordinated disclosure
Mishra initially disclosed his findings to Telegram on December 26, 2020. A reply was not received until January 6, 2021. After what the researcher describes as “a lot of follow-up emails”, the vulnerabilities were patched on January 30 in version 7.4 of the software.
“In my opinion, the responsible disclosure policy for Telegram is average and can be improved,” Mishra commented.
A bug bounty reward of $3,000 was awarded by Telegram.
Telegram has not responded to requests for comment at the time of publication.
“Telegram states it’s one of the privacy-focused messaging applications, but from my past experience, I am a little worried about using Telegram in my day-to-day activity,” Mishra told The Daily Swig.
“For people already using Telegram, [they] can at least limit their conversations, but [for] people who are looking to sign up for Telegram it’s better to sign up for Signal.”