Warning: Telegram Self-Destruct Messages Don’t Always Destroy Everything

Published 2 years ago
In this photo illustration the Telegram logo seen displayed
Getty Images

Users of the macOS Telegram messaging app are being warned about potential privacy issues that could expose files they share with others. According to research by Reegun Richard Jayapaul, lead threat architect at Trustwave SpiderLabs, the self-destruct feature in the privacy-focused app can be bypassed to keep hold of files permanently.

The first issue was that any media files sent over Telegram were stored in a cache folder, even after a message has self-destructed. That meant a hacker could still access those files, whether they included audio, video messages, shared locations or documents, according to Jayapaul. That issue was fixed by Telegram, though the details are only just coming out because Jayapaul declined to take a reward from Telegram, which asked him to keep the information secret in return for payment. It’s also the second time this year that a researcher has found files weren’t being effectively deleted during self-destructing chats in Telegram, the first being patched in version 7.4. The latest fix arrived in version 7.7. “It’s apparent that Telegram has a history of leaving these supposedly ‘self-destruct’ media files behind,” said Karl Sigler, Senior Security Research Manager, Trustwave SpiderLabs.

A second issue was not patched by Telegram, one that means it’s possible to bypass the self-destruct feature by simply grabbing a file from the cache folder without ever opening the message. This could, of course, be done by taking screenshots or screen recordings, though going into the cache makes it appear to the sender that the recipient hasn’t looked at the message, leaving them in the dark as to whether they have the files.

Advertisement

“The self-destruct feature is intended to be a simple way for users to send media that will delete itself. We warn users that they should use this only with people they trust, as there is no way for software to 100% prevent someone from saving a version of messages or media—such as simply taking a photo of their screen with another device,” a Telegram spokesperson said, providing a link to customer guidance.

“With the help of researchers, we continue to improve the functionality and security of features like this—as was shown with the changes made to the macOS desktop app in June (other Telegram apps were not affected). For all other matters, we welcome further suggestions that can bring additional solutions.”

By Thomas Brewster, FORBES STAFF

Advertisement