Home » Technology » Telegram: Privacy feature did not delete self-destructive video files

Telegram: Privacy feature did not delete self-destructive video files

In the free messenger app Telegram, there was apparently a security problem with audio and video data that were intended to be deleted: On devices with the macOS operating system, they were not automatically deleted as intended after the timer expired.

In the “secret chat” mode, the messenger offers extended privacy settings compared to the standard chat – all connections in secret chat are end-to-end encrypted, messages cannot be forwarded to third parties and all text messages and media content can potentially remove themselves, if your sender has preset this, whereupon the app automatically deletes the content from all devices after the specified time. However, the function does not seem to have worked for some Telegram users, as a cybersecurity expert has now found out.

During a Telegram security audit on macOS, the security analyst Dhiraj Mishra discovered that the sandbox path in standard chats, via which the app stores received video and audio files, had a data leak. Although the vulnerability was not present in the secret chat mode, the app apparently also stores media files received in secret chats in the same folder as in the standard chat.

Mishra tested the vulnerability by sending a self-destructive message in “secret chat” mode and was able to prove that the message sent was still present in the memory after it had apparently been deleted in the chat – for this he produced a video as a proof-of-concept that can be viewed on his blog and on YouTube:

video video--fullwidth a-u-inline">

Telegram: self-destructive messages are not deleted

Proof-of-concept by security analyst Dhiraj Mishra on YouTube

As the “icing on the cake”, Telegram apparently saved the local passcode unencrypted in clear text under macOS, Mishra also posted a video on this in his blog. Both security holes affected version 7.3 of Telegram and were then patched in version 7.4 (212543) stable. The computer scientist received a reward of 3,000 euros from Telegram for tracking down the security hole.

Those interested can read the full report from the security analyst read in his blog.


(hmm)

To home page

– .

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.