That Telegram feature that let you delete your private messages on recipients' phones? It didn't work properly
Infosec bod bags reward for spotting image privacy bug
VIdeo Telegram has fixed a bug that broke one of its chat app's key privacy features: the ability to fully delete your sensitive messages on recipients' phones.
The software claimed it could effectively recall messages you sent to your friends: recalled chats were said to be deleted from their devices.
However, bug-bounty hunter Dhiraj Mishra told The Register today that while the text content of messages would be removed, any attached images would inadvertently remain on the handset.
And while it's fair to assume that, generally speaking, once you send data to someone on the internet, that information is effectively out of your hands and virtually impossible to recall, bear in mind this remote-delete mechanism is a feature of Telegram, and was expected to worked.
"Assume a scenario where Bob sends a message which is a confidential image and was mistakenly sent to Alice, Bob proceeds to utilize a feature of Telegram known as 'Also delete for Alice' which would essentially delete the message for Alice," Mishra, who found the bug and privately reported it to Telegram, explained.
"Apparently, this feature does not work as intended, as Alice would still be able to see the image stored under `/Telegram/Telegram Images/` folder, concluding that the feature only deletes the image from the chat window."
Below is a video demonstrating the programming oversight:
"I have tried this with the latest stable version (5.10.0 (1684)) of Telegram for Android," Mishra added. "I haven't tried this with Telegram for iOS and Telegram for Windows but assuming this issue would exist on other these platforms."
While this could be embarrassing enough in a 1-to-1 chat, the flaw is particularly dangerous in large group chats. Mishra noted that in some cases Telegram groups will include thousands of people and, should the person mistakenly attach an image with private or confidential information, there would essentially be no way to make sure the image was deleted.
No Telegram today, protestors: Chinese boxes DDoS chat app amid Hong Kong protestREAD MORE
"You're relying on a functionality that is broken since your file would still be present in storage for all users," noted Mishra. "Aside from this, I found that since Telegram takes `read/write/modify` permission of the USB storage which technically means the confidential photo should have been deleted from Alice's device or storage."
This, says Mishra, is a serious security shortcoming for Telegram, an app that offers end-to-end encryption and prides itself on allowing users tight control over when and how their communications are seen.
"This issue could have a bigger impact and I am not sure how [long] this was in place," Mishra noted, "the word privacy of Telegram fails here again, and users trust against the Telegram is at risk."
Telegram seems to agree. The messaging app's developers awarded Mishra a tidy €2,300 ($2,542) reward for the find and has pushed out an update to address the flaw. Folks are advised to update to the latest version of the app (version 5.11 or higher) or opt to use the "New Secret Chat" feature, where images are deleted for both parties. ®