Telegram, one of the most popular messaging app has been found with a security flaw that exposes the private data of Mac users. It is said that the bug has made it possible to get access to self-destructing audio and video messages after deleting from secret chats.
Telegram on Mac Left Secret Chat Stored
A security researcher Dhiraj Mishra has discovered the vulnerability in the app version 7.3 on December 26, 2020. However, the issue was not solved even in the 7.4 version that is released on 29 January.
Telegram app conversations are not end-to-end encrypted by default until the users enable the feature called “Secret Chat”. This feature keeps the data encrypted on Telegram servers also.
The security researcher discovered the flaw in the secret chat feature. He found out, whenever the user sends media files in a normal chat, the app reveals the destination of where the folder of the image, video is being stored.
The media file stays in the local storage folder even after getting deleted automatically from the chat window. Mishra found out that the app for macOS version 7.3 is storing local passcodes that the user has set. And this means any user can find your passcode and get access to your chats. The local passcode is stored in plain text in JSON file located under “/Users/<user_name>/Library/Group Containers/<*>.ru.keepcoder.Telegram/accounts-metadata/.”
According to the researcher,
“Telegram says ‘super secret’ chats do not leave traces, but it stores the local copy of such messages under a custom path”.
“During my assessment, I found that self-destructed messages, in this case, recorded audio/video messages, are actually never deleted and leave a local copy under a custom/sandbox path. The recorded audio/video message gets stored in mp4 or mov formats, and still remains even after a user delete for everyone from the normal chat.”
For reporting about the two flaws, security researcher Dhiraj Mishra was awarded €3,000 as a part of its program.