Telegram for macOS did not delete self-destructing videos

Telegram developers have fixed a bug due to which self-destructing audio and video were not removed from devices running macOS.

Let me remind you that in the secret chat mode, you cannot forward messages to other users, and it is also possible to configure automatic self-destruction of all messages and multimedia after a certain time.

Independent information security specialist Dhiraj Mishra discovered that in Telegram version 7.3, self-destructing messages were not completely deleted from the recipient’s device.

While understanding the implementation of various security and privacy measures in telegram, I identified that telegram fails again in terms of handling the users data. Telegram which has 500 million active users suffers from a logical bug exists in telegram for macOS which stores the local copy of received message (audio/video) on a custom path even after those messages are deleted/disappeared from the secret chat.Dhiraj Mishra wrote.

So, the expert noticed that on macOS standard chats escape the sandbox path, where all received video and audio files are stored. Although this path works in secret chats, the received media files are still stored there, even if the messages in the chat itself have already destructed themselves, as they should have.

Bob (the attacker using the tdesktop macOS) and Alice (the victim) have a secret chat, and Alice sends an audio/video message to Bob with a self-destruct timer of 20 seconds. Although the message is removed from the chat after 20 seconds, it is still available through Bob’s custom path, here Telegram cannot prevent privacy for Alice. In general, the function of self-destruction and work without traces does not work.the expert writes.

Additionally, Mishra discovered that Telegram was storing local access codes to unlock the app in plain text format. They were saved in the Users/[username]/Library/GroupContainers/6N38VWS5BX.ru.keepcoder.Telegram/accounts-metadata folder as JSON files.

The researcher discovered both problems at the end of December 2020, and they were fixed with the release of Telegram 7.4. Mishra received a reward of $3,000 for reporting both errors.

Let me remind you that I also reported that a researcher discovered vulnerability in Telegram, which allows to locate user.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *