Researchers have uncovered a technique for Telegram for Mac users to save or view specific self-destructing messages forever without the sender’s knowledge.
Telegram has an optional ‘Secret Chat’ mode that enhances chat privacy by enabling a number of extra features.
When you create a Secret Chat with another Telegram user, the connection is encrypted end-to-end, and all messages, attachments, and media are set to immediately self-destruct and be erased from all devices after a defined period of time.
BleepingComputer reported that new issues identified by Trustwave SpiderLabs’ Lead Threat Architect Reegun Richard Jayapaul allows Telegram for Mac users to save self-destructing messages and attachments forever.
When media files other than attachments are sent in a message, they are saved in a cache folder with the XXXXXX unique numbers associated with an account, which is located at the following path.
Telegram will not download attachments (text, doc, or PDF files, as well as audio and video) unless the recipient opens them.
This is most likely owing to the attachments’ higher size.
When a receiver opens or views the message, the self-destruct timer begins, and when the timer expires, the content is automatically erased.
Reegun observed, however, that the self-destructing media was not erased from the cache folder, and that a user could save it to another location on their hard drive.
Reegun revealed that since voice recordings, video messages, photos, and location sharing images are all automatically transferred to the cache, a user might easily copy the media from the cache folder before seeing it in the app.
“Bob sends a media message to Alice (whether voice recordings, video messages, images, or location sharing).
Without opening the message, since it may self-destruct, Alice instead goes to the cache folder and grabs the media file,” Reegun explains in his report.
“She can also delete the messages from the folder without reading them in the app. Regardless, Bob will not know whether Alice has read the message, and Alice will retain a permanent copy of the media.”
This second bug, according to Telegram, will not be resolved because there is no method to prevent direct access to the app’s folder.
Reegun informed BleepingComputer that he disagrees and believes that Telegram could fix the flaw by treating all self-destructing media as attachments and not downloading them to the local file system until they are opened.
Dhiraj Mishra, a security researcher, uncovered a similar flaw in the Secret Chat feature in February, which prevented self-destructing material from being erased from recipients’ devices.
“This is a similar bug, but the media was left in an entirely different file location. This researcher’s findings were patched in Telegram v7.4, while our researcher’s findings weren’t fully patched until v7.7,” Karl Sigler, Senior Security Research Manager, Trustwave SpiderLabs, told BleepingComputer. “It’s apparent that Telegram has a history of leaving these supposedly “Self-Destruct” media files behind.”
You might also like: