Telegram’s secure messaging platform is a little less secure than expected thanks to a recent glitch that allowed bad actors to access self-destructive audio and video messages long after the sender and recipient believed that those messages were permanently deleted. The bug that impacted the macOS version of the messaging service occurs a few weeks after millions of new users joined Telegram after it announced a new privacy policy for WhatsApp owned by Facebook, which many saw a possibility share more data their texts with the parent company.
For all new users who have left WhatsApp for Telegram, the latest bug is a stark reminder that unfortunately, no messaging service is completely secure.
The most recent privacy breach was discovered by security researcher Dhiraj Mishra. It is included in version 7.3 of the macOS app. Telegram was informed of the problem on December 26, 2020. After an update on January 29th, the problem was fixed in version 7.4 of the macOS app. Mishra has given most of the users ample time to update their app before publicly speaking about the bug. However, if you haven’t updated Telegram on your MacBook, iMac, Mac Pro, or Mac mini, you should head over to the App Store to download it right away.
Unlike Signal and WhatsApp, Telegram doesn’t use end-to-end encryption for its messages by default. Instead, users must sign up for a mode called “Secret Chat” in order to enable this important privacy measure. When this mode is enabled, users have the option to send “self-destructive” messages. These are not only encrypted throughout, which prevents anyone other than the sender and recipient from seeing the content (including the telegram itself), but it also prevents the content from being automatically deleted from both phones after a set period of time. As a result, the recipient will no longer be able to review the encrypted messages days later.
However, Mishra found that while recording audio or video messages in the macOS application, it was possible to locate the MP4 recording on the laptop hard drive. Once you know where the file is stored, you can dive into the folders on your Mac and check the recording – even if it’s gone from the chat window in Telegram. Although you can no longer play the video or listen to the audio clip in the app, the file itself is not deleted and remains available as long as you know where to look.
“Telegram says that ‘super secret’ chats leave no trace but store the local copy of such messages,” Mishra told The Hacker News.
Mishra received € 3,000 for reporting the bug, which has now been fixed. Telegram is enjoying growing popularity this year. Back in January, the messaging platform that pioneered the use of animated stickers hit a milestone of 500 million monthly users thanks to a deluge of disgruntled WhatsApp users following a revision of its privacy policy that required users to subscribe. The deadline for agreeing to the new terms, which was slated for earlier this month, has been postponed to create some distance from the game before WhatsApp asks all users who want to continue using the app to agree to the new terms.
