Telegram’s Feature Secret Chat Stores Self-Destructing Media Files On Shared Device

Telegram, a mainstream popular messaging application, recently fixed a privacy crushing bug in its macOS version of the application that made it conceivable to access the self-destructing video and audio messages or files even after they have vanished from secret chats for a long period of time.

The vulnerability was found by the cybersecurity researcher Dhiraj Mishra in version 7.3 of the Telegram application, who reported his discoveries to Telegram on December 26, 2020. The issue has since been settled in an updated version 7.4, published on January 29.

In contrast to Signal or WhatsApp, chats on Telegram are not end-to-end encrypted, by default, except if clients choose to utilize the gadget specific feature called Secret chat, which keeps information encrypted, even on the servers of Telegram. Additionally, another feature incorporated in Secret chats is simply the alternative to send self-destructing messages.

The cybersecurity researcher discovered that when a client records and sends a sound or video message through a normal visit, the application releases the specific path where the recorded message is put away in “.mp4” format. But when the Secret Chat feature is turned on, the information of the path is not leaked, yet the recorded message actually gets stored in a similar location.

Moreover, even in situations where a user gets a self-destructing message in a Secret chat, the media message (audio/video) stays available on the system even when the message has vanished from the application’s chat screen.

Dhiraj Mishra told The Hacker News that, “Telegram says ‘super-secret’ chats do not leave traces, but it stores the local copy of such messages under a custom path.”

Additionally, Mishra found a second weakness in Telegram’s macOS version of the application that stores local passwords in plaintext in a JSON document situated under “/Users/<user_name>/Library/Group Containers/<*>.ru.keepcoder.Telegram/accounts-metadata/.” He was granted €3,000 for informing Telegram about the two vulnerabilities under its bug bounty program.

In January, Telegram hit an achievement of 500 million active users every month, to a limited extent driven by a flood of users who migrated from WhatsApp after an amendment to its privacy policy which involves sharing some specific information with its corporate parent, Facebook.

However, the service offers client-server and server-client encryption, utilizing a restrictive convention named MTProto, and furthermore, when the messages are stored in the Telegram cloud, it is worth remembering that group chats in Telegram, offer no end-to-end encryption and that all default chat histories are stored on its servers. This is to make discussions effectively available across different devices. So if you are on Telegram and want a completely private group chat, you are out of luck and can never have that.

If you like this article, follow us on Twitter, Facebook, Instagram, and LinkedIn.