Secure messaging platform Telegram is a little less secure than first thought, thanks to a new glitch that allowed bad actors to access self-destructing audio and video messages long after the sender and recipient believed these messages were permanently deleted. The bug, which impacted the macOS version of the messaging service, comes a few short weeks after millions of new users joined Telegram following the announcement of a new privacy policy for Facebook-owned WhatsApp, which many viewed as a way to share more data from their texts with the parent company.
For any new users who left WhatsApp for Telegram, the latest glitch is a stark reminder that, unfortunately, no messaging service is completely secure.
The latest privacy-defeating vulnerability was unearthed by security researcher Dhiraj Mishra. It’s found in version 7.3 of the macOS app. Telegram was notified about the issue on December 26, 2020. And following an update on January 29, the issue has been resolved in version 7.4 of the macOS app. Mishra has allowed enough time for most users to update their app before speaking publicly about the bug – but if you haven’t yet updated Telegram on your MacBook, iMac, Mac Pro or Mac mini, you’ll want to head to the App Store to download that right away.
Unlike Signal and WhatsApp, Telegram does not use end-to-end encryption for its messages by default. Instead, users need to opt-in to a mode called “Secret Chat,” to enable this crucial privacy measure. When this mode is enabled, users have the option to send “self-destructing” messages. These are not only end-to-end encrypted – thereby preventing anyone apart from the sender and the recipient from seeing the contents (including Telegram itself) – but also automatically deleting the content from both phones after a pre-determined amount of time. So, the recipient isn’t able to go back and double-check the encrypted messages days later.
However, Mishra discovered that when audio or video messages were recorded on the macOS application, it was possible to track down the .mp4 recording on the laptop hard-drive. Once you know where the file is stored, it’s possible to dive into the folders on your Mac and retrieve the recording – even when it’s vanished from the chat window within Telegram. Although playing the video or listening to the audio clip within the app is no longer possible, the file itself isn’t deleted and remains accessible provided you know where to look.
“Telegram says ‘super secret’ chats do not leave traces, but it stores the local copy of such messages,” Mishra clarified to The Hacker News.
Mishra was awarded €3,000 for reporting the bug, which has now been fixed. Telegram has enjoyed a surge in popularity this year. Back in January, the messaging platform, which pioneered the use of animated stickers, reached a milestone of 500 million monthly users thanks to a flood of disgruntled WhatsApp users following a revision to its privacy policy that users had to sign. The deadline to agree to the new terms, which was scheduled for earlier this month, has been pushed back to try to create some distance from the backlash before WhatsApp asks all users who want to continue using the app to agree to the new terms.