Telegram has resolved a privacy issue that degraded the pillars of security the firm's messaging application is built upon -- the ability to remove content remotely from recipient devices.
Bug bounty hunter Dhiraj Mishra discovered a security failure (via TechCrunch) in the message deletion feature, which is intended to allow users to delete messages from recipient devices in cases after being sent but in cases when users wish to recall their messages and any associated content.
While the text content of a message would be removed if a user selected the 'Also Delete' function in Telegram, any images sent would stay in a handset's internal storage along the '/Telegram/Telegram Images/' path.
In other words, images would be deleted from chat windows but they would still be accessible if the recipient navigated to the Telegram Images folder.
"Assume a scenario where Bob sends a message which is a confidential image and was mistakenly sent to Alice, Bob proceeds to utilize a feature of Telegram known as "Also delete for Alice" which would essentially delete the message for Alice," the bug bounty hunter explained. "Apparently, this feature does not work as intended, as Alice would still be able to see the image stored under `/Telegram/Telegram Images/` folder, concluding that the feature only deletes the image from the chat window."
A similar messaging service, Facebook-owned WhatsApp, asks for the same read/write/modify storage permissions as Telegram on install and contains a similar feature called 'Delete for Everyone' which allows users to remove content including messages and images. However, in this app's case, media is also removed from storage at the same time.
In one-on-one chats, Telegram's privacy failure might not be the end of the world, but in 'supergroup' chat sessions that can contain thousands of active members, the implications may be more serious -- especially if a user sends a sensitive image or two by accident.
"Assume a case wherein you're a part of a group with 2,000,00 members and you accidentally share a media file not meant to be shared in that particular group and proceed to delete by checking "delete for all members" present in the group," Mishra notes. "You're relying on a functionality that is broken since your file would still be present in storage for all users."
Mishra verified the validity of the bug in Telegram for Android version 5.10.0 (1684) and it is possible the problem also impacted Telegram for Windows and iOS, but tests were not performed.
After submitting his findings to Telegram, the messaging service accepted the research and accompanying proof-of-concept (PoC). A fix has been included in the latest version of Telegram, version 5.11.
Mishra was awarded €2,500 ($2,749) for the report.
In August, Check Point researchers disclosed vulnerabilities in the WhatsApp messaging platform which could be exploited to "essentially put words in [a contact's] mouth."
The bugs allowed attackers to intercept and manipulate messages through the service -- which is protected via end-to-end encryption -- as well as change the identity of senders, and to send messages which are marked as 'private' but could be viewed publicly in a group chat.
Facebook said that one of the vulnerabilities has been fixed, but the other two were problematic due to structural and architectural limitations.
Previous and related coverage
- Adobe Flash, Application Manager patch update squashes critical code execution bugs
- WhatsApp vulnerabilities 'put words in your mouth,' lets hackers take over conversations
- European police arrest Dark Web counterfeit currency traders
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0