Secret Chat in Telegram Left Self-Destructing Media Files On Devices
Popular messaging app Telegram fixed a privacy-defeating bug in its macOS app that made it possible to access self-destructing audio and video messages long after they disappeared from secret chats.
The vulnerability was discovered by security researcher Dhiraj Mishra in version 7.3 of the app, who disclosed his findings to Telegram on December 26, 2020. The issue has since been resolved in version 7.4, released on January 29.
Unlike Signal or WhatsApp, conversations on Telegram by default are not end-to-end encrypted, unless users explicitly opt to enable a device-specific feature called "secret chat," which keeps data encrypted even on Telegram servers. Also available as part of secret chats is the option to send self-destructing messages.
What Mishra found was that when a user records and sends an audio or video message via a regular chat, the application leaked the exact path where the recorded message is stored in ".mp4" format. With the secret chat option turned on, the path information is not spilled, but the recorded message still gets stored in the same location.
While the service does offer client-server/server-client encryption (using a proprietary protocol named "MTProto") and also when the messages are stored in the Telegram cloud, it's worth keeping in mind that group chats offer no end-to-end encryption and that all default chat histories are stored on its servers. This is to make conversations easily accessible across devices.
"So if you are on Telegram and want a truly private group chat, you're out of luck," Raphael Mimoun, founder of the digital security nonprofit Horizontal, said last month.
via thehackernews