Telegram, hailed as one of the two significantly more private communication apps over WhatsApp, had a major security vulnerability that could have exposed self-destroying audio and video messages sent by any user, when used on Mac. Discovered by independent cyber security researcher Dhiraj Mishra, the flaw pertains to Secret Chat, a feature that encrypts conversation on Telegram between two users to make sure that the content stays encrypted even on Telegram servers. As Mishra found, when media files were sent to a user in normal chat, Telegram would reveal the destination folder where the audio, video and image files were being stored. While Telegram did not reveal the file destination under Secret Chat (i.e. encrypted chats), it still stored the received media files in the same destination folder, and files in this folder were not automatically deleted by Telegram.
The media files in question stay in local storage folder, even after it gets automatically deleted from a chat window after a pre-destined period of time. Mishra further found that the Telegram for macOS app version 7.3 stores local passcodes, which you may have set in order to prevent other users from logging in to your chat window on a shared device, in plain text. In essence, this means that any user with intent could potentially find your passcode and gain access to your conversations. With Secret Chat, users aware of the loophole could essentially expose private audio, video and images of contacts, who would otherwise have been under the impression that their information was secure.
Mishra reported the incident to Telegram on December 26, 2020. As he told News18, the flaw was patched in the past few days, and Mishra was paid a bug bounty of EUR 3,000. Explaining his findings, Mishra added, "During my assessment I found that self-destructed messages, in this case recorded audio/video messages, are actually never deleted and leave a local copy under a custom/sandbox path. The recorded audio/video message gets stored in mp4 or mov formats, and still remains even after a user delete for everyone from the normal chat."
Telegram shot to wider popularity after WhatsApp's data sharing policy update brought to light discrepancies in terms of how it regards user data security. While WhatsApp continues to maintain that its end to end encryption protects user data with ample security, its sharing of metadata with its parent Facebook is what raised the concerns. During this period, Telegram and secure chat app Signal have been the biggest beneficiaries, and have seen exponential usage growth in recent times. However, with closer scrutiny on the apps now, it remains to be seen if Telegram or Signal has more such vulnerabilities which could be inadvertently leaking private data the way Telegram Secret Chat did via its Mac app.