Telegram Privacy Feature Inadequate to Delete Self-Destructing Video Files!

Telegram Privacy Feature Inadequate to Delete Self-Destructing Video Files!

Telegram furnishes a Secret Chat mode that enhances the chat privacy than other standards chats, but, Telegram was failed to delete video files through the self-destructing feature.

According to the Telegram in a Secret Chat, the connections are end-to-end encrypted and you were unable to send any message to others, all the messages and media files are automatically deleted from all the devices after a certain amount of time.

What Occurred Specifically?

Telegram Privacy Feature Inadequate to Delete Self-Destructing Video Files

But, yesterday a security researcher discovered a vulnerability in the Telegram 7.3 Secret Chat feature, where the media is not deleted from the recipient’s device. While examining the Telegram security on macOS, the researchers discovered that standard chats will be leaked to the sandbox path where the audio and video files are stored. While in Secret Chats the path would not be leaked but the media is still stored in the same folder.

The researcher also shared the path that was “var/folders/x7/khjtxvbnolzjyy9xcz18z100000gn/T/” and in the case of the secret chat option the path will be :// URI was not leaked but the recorded audio and video message that is stored in the above path. The researcher also added that in Secret Chat the media was removed from the chat but it is still accessible through the computer’s folder.

For Example, Root was an attacker and Ben was the victim they are communicating through the secret chat option and Ben send a video to root and set the time of 20 seconds. Therefore the recorded message is deleted from the chat but still accessible from the Root path, This signifies that Telegram was unable to prevent the privacy of Ben.

This vulnerability is critical for the users who send confidential information through Telegram and they are expecting that their privacy is maintained and their data is removed after some time.

For better understanding we have also attached the video shared by the security researcher below;

Additional Vulnerabilities

Telegram Privacy Feature Inadequate to Delete Self-Destructing Video Files

Apart from the chat issue the researcher also said that Telegram was also responsible for capturing the user passwords and unlock the application in plain text on the device.

These types of plan text passwords were stored in a directory that follows the path; Users/Library/Group Containers/ 6N38VWS5BX.ru.keepcoder.Telegram/accounts-metadata as the JSON file.

The good news is the researcher reported these bugs on December 26th, 2020 and now they are fixed by Telegram in their updated version of 7.4. The researcher also received the money prize of $3000 from the Telegram. 

Leave a Reply