Much has been made in recent weeks of social media chat applications and their security, following Facebook’s changes in terms and conditions that affected users of its popular Whatsapp app.
Telegram has been touted as a safer alternative, with many users flocking to the app as a result.
But Telegram has found itself in some of its own issues, with a recent issue picked up by observers where an important privacy function didn’t quite operate the way it was meant to.
The app has seemingly fixed the privacy-defeating bug in its macOS app, which made it possible to access self-destructing audio and video messages long after they disappeared from “secret chats”.
The vulnerability was discovered when a security researcher disclosed his findings to Telegram last month. The issue has since been resolved in version 7.4, released on January 29.
Unlike Signal or WhatsApp, conversations on Telegram by default are not end-to-end encrypted, unless users explicitly opt to enable a device-specific feature called “secret chat,” which keeps data encrypted even on Telegram servers. Also available as part of secret chats is the option to send self-destructing messages.
What the researcher found was that when a user records and sends an audio or video message via a regular chat, the application leaked the exact path where the recorded message is stored in “.mp4” format. With the secret chat option turned on, the path information is not spilled, but the recorded message still gets stored in the same location.
Even in cases where a user received a self-destructing message in a secret chat, the multimedia message remained accessible on the system even after disappearing from the app’s chat screen.
The researcher was awarded €3,000 for reporting the two flaws as part of the app’s bug bounty program.
Telegram in January hit a milestone of 500 million active monthly users, in part led by a surge in users who fled WhatsApp following a revision to its privacy policy that includes sharing certain data with its corporate parent, Facebook.