Telegram for Mac Flaws Allow you to Save Self-destructing Messages Forever

Investigators have recently found a way for users on Telegram for Mac to preserve specific self-destructing messages forever or view them without even the sender’s knowledge. Telegram provides an optional ‘Secret Chat’ mode that increases the privacy of chats by allowing a variety of additional functionality.

When you initiate a Secret Chat with another Telegram user, the connection will become end-to-end encrypted, and all the messages, attachments, and media will be set to automatically self-destruct and be deleted from all the devices after a certain period.    

Although, new bugs found by Reegun Richard Jayapaul, Trustwave SpiderLabs’ LeadThreat Architect, permit Telegram for Mac users to save self-destructing messages and attachments forever.

When media files, other than attachments, are sent in a message, they are preserved in a cache folder located at the following path, with the XXXXXX unique number associated with an account.

/Users/Admin/Library/GroupContainers/XXXXXXX.ru.keepcoder.Telegram/appstore/account/1271742300XXXXXX/postbox/media

In Which Version of Telegram the Bug was fixed?  

Telegram will not download attachments (documents like text, doc, or pdf files, and Audio and video) unless a recipient attempts to launch them. This is likely done due to the larger size of attachments.

When a receiver reads the message or views the content, the self-destruct timer will initiate, and when finished, the content will be automatically be deleted.

Moreover, Reegun founded that the self-destructing media was not removed from the cache folder, and a user could save it to another location on their hard drive.

This flaw was fixed by Telegram for macOS in version 7.7 (215786) or later after it was responsibly reported, but there is an additional error that permits you to save self-destructible media.

How to Copy Unopened Self-Destructing Media?

Telegram-for-Mac-Flaws-Allow-you-to-Save-Self-destructing-Messages-Forever-image1

As video messages, images, voice recordings, or location sharing images are automatically downloaded to the cache, Reegun founded that a user could simply copy the media from the cache folder before viewing it in the program.

“Bob transmit a media message to Alice (whether voice recordings, images, video messages or location sharing). Without opening the message, since it may self-destruct, Alice instead goes to the cache folder and access the media file,” Reegun also describes in his report.

“She can also delete the messages from the folder without reading them in the application. Regardless, Bob will not know whether Alice has read the message, and Alice will retain a permanent copy of the media.”

Telegram told Reegun that this second error would not be fixed as there is no way to secure direct access to the application’s folder.    

“Please note that the primary purpose of the self-destruct timer is to serve as a simple way to auto-delete individual messages. However, there are some ways to work around it that are outside what the Telegram app an control (like copying the app’s folder), and we clearly warn users about such circumstances: https://telegram.org/faq#q-can-telegram-protect-me-against-everything” – Telegram.

Reegun also told our experts that he denies and that Telegram could resolve the flaw by treating all self-destructing media the same way as attachments and not download them to the local file system until they are launched.

In February, security investigators founded the same vulnerability in the Secrete Chat feature that caused self-destructing media not to be deleted from recipients’ devices.

“This is a same error, but the media was left in the whole different file location. This researcher’s findings were patched in Telegram v7.4, while our investigators were not absolutely patched until v7.7.”  

Our experts have contacted Telegram about the error to ask why this flaw is not being instituted but have not heard back.             

Leave a Reply