Popular messaging app Telegram fixed a privacy-defeating bug in its macOS app that made it possible to access self-destructing audio and video messages long after they disappeared from secret chats.
The vulnerability was discovered by security researcher Dhiraj Mishra in version 7.3 of the app, who disclosed his findings to Telegram on December 26, 2020. The issue has since been resolved in version 7.4, released on January 29.
Unlike Signal or WhatsApp, conversations on Telegram by default are not end-to-end encrypted, unless users explicitly opt to enable a device-specific feature called “secret chat,” which keeps data encrypted even on Telegram servers. Also available as part of secret chats is the option to send self-destructing messages.
What Mishra found was that when a user records and sends an audio or video message via a regular chat, the application leaked the exact path where the recorded message is stored in “.mp4” format. With the secret chat option turned on, the path information is not spilled, but the recorded message still gets stored in the same location.
images from Hacker News