How Secure is Telegram? Secret Chat leaves Self-Destructing Files on Devices


Share on facebook
Share on twitter
Share on linkedin

Much has been made in recent weeks of social media chat applications and their security, following Facebook’s changes in terms and conditions that affected users of its popular Whatsapp app.

Telegram has been touted as a safer alternative, with many users flocking to the app as a result.

But Telegram has found itself in some of its own issues, with a recent issue picked up by observers where an important privacy function didn’t quite operate the way it was meant to.

The app has seemingly fixed the privacy-defeating bug in its macOS app, which made it possible to access self-destructing audio and video messages long after they disappeared from “secret chats”.

The vulnerability was discovered when a security researcher disclosed his findings to Telegram last month. The issue has since been resolved in version 7.4, released on January 29.

Unlike Signal or WhatsApp, conversations on Telegram by default are not end-to-end encrypted, unless users explicitly opt to enable a device-specific feature called “secret chat,” which keeps data encrypted even on Telegram servers. Also available as part of secret chats is the option to send self-destructing messages.

What the researcher found was that when a user records and sends an audio or video message via a regular chat, the application leaked the exact path where the recorded message is stored in “.mp4” format. With the secret chat option turned on, the path information is not spilled, but the recorded message still gets stored in the same location.

Even in cases where a user received a self-destructing message in a secret chat, the multimedia message remained accessible on the system even after disappearing from the app’s chat screen.

The researcher was awarded €3,000 for reporting the two flaws as part of the app’s bug bounty program.

Telegram in January hit a milestone of 500 million active monthly users, in part led by a surge in users who fled WhatsApp following a revision to its privacy policy that includes sharing certain data with its corporate parent, Facebook.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.