Lagos, Nigeria

Vulnerability in Telegram Secret Chat: Found Exposing Private Data of Mac Users

Telegram, one of the most popular messaging app has been found with a security flaw that exposes the private data of Mac users. It is said that the bug has made it possible to get access to self-destructing audio and video messages after deleting from secret chats.

Telegram on Mac Left Secret Chat Stored

Telegram Security flaw on MacOS

A security researcher Dhiraj Mishra has discovered the vulnerability in the app version 7.3 on December 26, 2020. However, the issue was not solved even in the 7.4 version that is released on 29 January.

Telegram app conversations are not end-to-end encrypted by default until the users enable the feature called “Secret Chat”. This feature keeps the data encrypted on Telegram servers also.

The security researcher discovered the flaw in the secret chat feature. He found out, whenever the user sends media files in a normal chat, the app reveals the destination of where the folder of the image, video is being stored. 

The media file stays in the local storage folder even after getting deleted automatically from the chat window. Mishra found out that the app for macOS version 7.3 is storing local passcodes that the user has set. And this means any user can find your passcode and get access to your chats. The local passcode is stored in plain text in JSON file located under “/Users/<user_name>/Library/Group Containers/<*>.ru.keepcoder.Telegram/accounts-metadata/.”

According to the researcher,

“Telegram says ‘super secret’ chats do not leave traces, but it stores the local copy of such messages under a custom path”.

“During my assessment, I found that self-destructed messages, in this case, recorded audio/video messages, are actually never deleted and leave a local copy under a custom/sandbox path. The recorded audio/video message gets stored in mp4 or mov formats, and still remains even after a user delete for everyone from the normal chat.”

For reporting about the two flaws, security researcher Dhiraj Mishra was awarded €3,000 as a part of its program.

In January, Telegram got 500 million monthly active users, as Whatsapp brought a privacy policy update. Because of this update, many users have switched to Telegram and Signal.

This post was written by Farhan Shaikh and was first posted to TechViral

Do you find this article helpful? Your Friend might too. So, please Share it with them using the Share button above.
Will you like to get notified when I post new updates? Then Follow me on any of my social media handles: Google News, Telegram, WhatsApp, Twitter, Facebook, Pinterest.
You can also drop your email address below if you wish to be notified by mail.

[newsletter_form type="minimal" lists="undefined" button_color="undefined"]

Tags: , ,