Security News > 2021 > February > Telegram 'Secret Chat' didn't delete self-destructing media files

Telegram 'Secret Chat' didn't delete self-destructing media files
2021-02-12 19:57

Telegram has fixed a security issue where self-destructing audio and video files were not being deleted from user's macOS devices as expected.

Telegram offers a 'Secret Chat' mode that offers increased privacy than the standard chats.

Yesterday, security researcher Dhiraj Mishra told BleepingComputer that he discovered a vulnerability in the Secret Chat feature on Telegram 7.3 where self-destructing media is not deleted from recipients' devices.

While performing a Telegram security audit on macOS, Mishra discovered that standard chats would leak the sandbox path where received video and audio files are stored.

"However, the recorded message gets deleted from the chat after 20 seconds but still remains under Bob's custom path, over here Telegram fails to prevent the privacy for Alice. In general the functionality of self-destructing and leaving no traces failed," Mishra explains in an attack scenario shared with BleepingComputer.

In addition to the Secret Chat security issue, Mishra discovered that Telegram was storing user's local passcodes to unlock the app in plain text on the device.


News URL

https://www.bleepingcomputer.com/news/security/telegram-secret-chat-didnt-delete-self-destructing-media-files/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Telegram 6 2 23 8 2 35