Telegram for Mac bugs allow self-destructing messages to be saved forever


Trustwave SpiderLabs specialist Reegun Richard Jayapaul has discovered a way to allow Telegram for Mac users to permanently save self-destructing messages and view them without the sender's knowledge.


To ensure more privacy of users in the Telegram messenger, it is possible to create private conversations with additional privacy features. When a user communicates in a private chat with another user, the traffic between them is protected using end-to-end encryption, and all messages, attachments and media files become self-destructing and after a while are automatically deleted from all devices. However, a vulnerability discovered by Jayapol allows these messages and attachments to be saved.


Media files and other attachments sent in a private conversation are saved in the cache folder located in the directory / Users / Admin / Library / Group Containers / XXXXXXX.ru.keepcoder.Telegram / appstore / account-1271742300XXXXXX / postbox / media, where XXXXXX is a unique account number records.


Telegram does not download attached files (text, doc, and pdf text documents, audio and video files) until the recipient tries to open them. This is most likely due to the large size of the documents.


When the recipient reads the message or views the attachments, a self-destruct timer starts, and when the user stops reading, the content is automatically deleted. However, Jayapol found that self-destructing files are not removed from the cache folder, and users can save them from there to any location on their hard drive.


The researcher duly notified Telegram of the vulnerability, and it was fixed in Telegram for macOS 7.7 (215786) and later. However, there is another bug that allows you to save self-destructing messages.


When voice and video messages, images or geolocations are automatically loaded into the cache, the user can simply copy them from the cache folder before opening it in Telegram itself. In addition, the recipient can read the message in the cache without opening it in the messenger. In this case, the sender will not know that the user has already read the message.


According to Telegram representatives, the second vulnerability cannot be fixed, since there is no way to protect the application folder from direct access. However, the researcher disagrees with this. In his opinion, Telegram can fix the error by treating all self-destructing media in the same way as attachments, and not uploading them to the local file system until they are open.

Previous Post Next Post