Telegram has fixed a serious bug that allowed users to recover photos and videos unsent by other people.
Cybersecurity researcher, Dhiraj Mishra, discovered that one of the mobile messaging app’s most attractive features, the ability to “unsend” content, was not functioning properly due to a bug.
Unlike other apps, Telegram enables its users to fully delete sent content remotely on the recipients’ phone whenever they want.
“Assume a scenario where Bob sends a message which is a confidential image and was mistakenly sent to Alice, Bob proceeds to utilize a feature of Telegram known as ‘Also delete for Alice’ which would essentially delete the message for Alice,” Mishra told The Register.
“Apparently, this feature does not work as intended, as Alice would still be able to see the image stored under `/Telegram/Telegram Images/` folder, concluding that the feature only deletes the image from the chat window,” he said.
Mishra, who discovered and disclosed the bug privately to company said that the android version of the messaging app would permanently store photos and videos in the device’s internal storage.
“This works perfectly in groups as well,” he said. “If you have a Telegram group of 100,000 members and you send a media message by mistake and you delete it, it only gets deleted from the chat but will remain in media storage of all 100,000 members.”
- China Blamed for Massive Cyber Attack on Telegram
- Wikipedia Blames Major Outage on “Malicious” DDoS Attack
- Facebook Dating Service Raises Privacy Concerns
“I have tried this with the latest stable version (5.10.0 (1684)) of Telegram for Android,” Mishra added. “I haven’t tried this with Telegram for iOS and Telegram for Windows but assuming this issue would exist on other these platforms,” he said.
While this flaw could be potentially embarrassing for one-to-one chats, it could have more serious consequences in large chat groups. Some groups can include thousands of people and if a member accidentally attached the wrong image, possibly a highly sensitive or confidential one, there would be no way for for them to ensure the image was entirely deleted.
“You’re relying on a functionality that is broken since your file would still be present in storage for all users,” he said. “Aside from this, I found that since Telegram takes `read/write/modify` permission of the USB storage which technically means the confidential photo should have been deleted from Alice’s device or storage.”
“This issue could have a bigger impact and I am not sure how [long] this was in place,” Mishra noted, “the word privacy of Telegram fails here again, and users trust against the Telegram is at risk.”
Since being made aware of the problem, the company has now fixed the issue and awarded Mishra €2,500 from the bug bounty for discovering and disclosing the vulnerability.
The company confirmed it rolled out the fix on September 5th, however, it is not known how many users may have been affected by the bug.
The app is advising its millions of users to update to the latest version of the app (version 5.11 or higher). Users can also opt to use the “New Secret Chat” feature the app offers, where images are deleted for both parties.