Telegram refused to fix a scenario in which the flaw could be exploited, prompting a Trustwave researcher to decline a bug bounty and instead publicly disclose his findings. A flaw in a high-level privacy feature of Telegram on macOS that sets a “self-destruct” timer for messages on both the sender’s and recipient’s devices can allow someone to recover these messages even after they’ve been deleted, according to a researcher.
About the flaw
Reegun Richard Jayapaul, Trustwave SpiderLabs Lead Threat Architect, discovered the flaw in the Self-Destruct feature of Telegram MacOS, which is part of the messaging app’s Secret-Chats feature that uses end-to-end encryption.
This encryption, which even Telegram administrators do not have the key to, is “meant for people who are concerned about the security and privacy of their chat history,” he wrote in a blog post about his findings published Thursday.
Indeed, Telegram is often considered one of the most secure messaging apps; many users have switched from Facebook’s WhatsApp to Telegram because of their privacy concerns.
Jayapaul collaborated with Telegram to fix the flaw, leading to two scenarios in which users’ privacy is violated. He said he discovered a clause in the company’s vulnerability disclosure program that prevents researchers from exposing a vulnerability if they agree to receive a bug payout, something Jayapaul said he was against.
According to him, under the first scenario, Shared Location, video and audio messages can leak even after they are set to self-destruct on both the sender’s and recipient’s devices. These same messages can leak in the second situation without the receiver even opening or deleting the mail.
While Telegram addressed the problem that led to the first scenario, it declined to solve the second. As a result, the Trustwave researcher turned down Telegram’s bug prize since it “would have kept us from disclosing this research to the community,” Jayapaul wrote.
“We feel bug bounties that require permanent silence about a vulnerability do not help the broader community to improve their security practices and can serve to raise questions about what exactly the bug bounty is compensating the individual for – reporting a vulnerability to the bounty payer or their silence to the broader community. This is especially serious in this case, where one of the issues reported went unaddressed.”
What Can It Be Used For?
Jayapaul discovered the vulnerability in macOS Telegram version 7.5. Any audio, video, documents, or shared location sent through the app are stored in the Telegram cache in the following path: “/Users/Admin/Library/Group Containers/XXXXXXX.ru.keepcoder.Telegram/appstore/account-1271742300XXXXXX/postbox/media”.
The Secret-Chat is stored by Telegram in this directory with the prefix “secret-file-xxxxxx.” “By default, any media files, except attachments, sent to Telegram are downloaded to the above cache folder,” he noted. “Shared locations are stored as a picture.”
Jayapaul detailed how the issue can be exploited in two scenarios: one that violates the privacy of both the sender and the recipient of the messages or locations, and the other that affects the sender.
In the first case, someone sends a voice recording, video message, or image or shares their location and then activates the “self-destruct” feature. According to how the feature works, once the receiver reads the message, it is removed. “However, the files are still stored locally inside the cache folder available for recovery,” he said.
The second option relies on the message recipient going into the cache folder to retrieve the self-destructing file or deleting the messages without reading them in the Telegram app. In either case, the sender will have no idea whether the message was read, and the recipient “will retain a permanent copy of the media,” according to the post.
Telegram’s Reaction and disclosure
When Jayapaul contacted Telegram, the company immediately addressed the issue in the first scenario, in which “any chats/media can be recovered from the cache even after they are supposedly self-deleted after opening the message in the app,” he wrote.
In addition, he noted that while the initial update didn’t apply to Shared Locations, the business eventually produced a fix for that.
However, the business declined to fix the caching issue in the second scenario when it came to media files, citing “some ways to work around” the app’s self-destruct timer “that are outside” what the app can control Jayapaul.
The telegram stated that on its website’s “FAQ” page, it informs users about “such circumstances.”
Jayapaul, for one, believes the fix “would be a simple one,” requiring only the usage of the same caching approach used by self-destructing chats for attachments.
“If you attach media files to a message, the attachments cannot be accessed in the cache prior to clicking the message,” Jayapaul explained. “Only after the message is opened in the app are the attachments downloaded and then deleted after the timer.”
Telegram offered the researcher a bug bounty, which he was “delighted” to accept, but he turned it down since he preferred to disclose his results.
“Public disclosure is an important part of the vulnerability discovery and remediation process,” he said. “It is essential for the public in a variety of ways. Because of these concerns and my commitment to information security, I have declined the bug bounty in exchange for disclosure.”