Telegram Bug in Mac Allows User To Save Secret Chats

 

Cybersecurity experts have found a technique for Telegram users of Mac to keep self disappearing texts or view the messages without the knowledge of sender. Telegram has an optional "secret chat" feature that ensures privacy of the conversations by providing additional features. If you start a conversation with a Telegram user, the chat becomes end-to-end encrypted, all the messages, media and attachments will be on self-destruct by default, and will disappear from the device after some time. 

But, a new bug found by cybersecurity expert Reegun Richard Jayapaul, Trustwave SpiderLabs' Lead Threat Architect, lets a Telegram Mac user to save self disappearing messages and media permanently. If the files sent in a chat are other than media, they are saved in the cached folder with XXXXXX unique numbers related to a user profile. "As voice recordings, video messages, images, or location sharing images are automatically downloaded to the cache, Reegun discovered that a user could simply copy the media from the cache folder before viewing it in the program," reports Bleeping Computers.

Telegram won't download these attachments unless the recipient downloads it, it is done because these documents generally have a large file size. When a user views the content or reads a message, the self-destruct timer starts, and the chats soon disappear, the content is automatically deleted. However, experts found that the self-disappearing media wasn't removed from the cached folder, and the user had the option of saving it to a different location in the hard drive. The vulnerability was patched by Telegram for MacOs version 7.7 (215786) or later after it was pointed out, however, there's a different bug which allows a user to save self-disappearing media. 

As per the reports, Telegram has told the experts that the issue can't be fixed because there isn't any way to stop second bug from gaining direct access to the app folder. Telegram said "please note that the primary purpose of the self-destruct timer is to serve as a simple way to auto-delete individual messages. However, there are some ways to work around it that are outside what the Telegram app an control (like copying the app’s folder), and we clearly warn users about such circumstances."