Telegram fixes privacy-breaking bug that stopped recipient message and image deletion

September 11, 2019 TH Author

[embedded content]

Telegram has resolved a privacy issue that degraded the pillars of security the firm’s messaging application is built upon — the ability to remove content remotely from recipient devices.

Bug bounty hunter Dhiraj Mishra discovered a security failure in the message deletion feature, which is intended to allow users to delete messages from recipient devices in cases after being sent but in cases when users wish to recall their messages and any associated content.

While the text content of a message would be removed if a user selected the ‘Also Delete’ function in Telegram, any images sent would stay in a handset’s internal storage along the ‘/Telegram/Telegram Images/’ path.

In other words, images would be deleted from chat windows but they would still be accessible if the recipient navigated to the Telegram Images folder.

“Assume a scenario where Bob sends a message which is a confidential image and was mistakenly sent to Alice, Bob proceeds to utilize a feature of Telegram known as “Also delete for Alice” which would essentially delete the message for Alice,” the bug bounty hunter explained. “Apparently, this feature does not work as intended, as Alice would still be able to see the image stored under `/Telegram/Telegram Images/` folder, concluding that the feature only deletes the image from the chat window.”

A similar messaging service, Facebook-owned WhatsApp, asks for the same read/write/modify storage permissions as Telegram on install and contains a similar feature called ‘Delete for Everyone’ which allows users to remove content including messages and images. However, in this app’s case, media is also removed from storage at the same time.

CNET: Mozilla tests Firefox VPN service to help protect your privacy

In one-on-one chats, Telegram’s privacy failure might not be the end of the world, but in ‘supergroup’ chat sessions that can contain thousands of active members, the implications may be more serious — especially if a user sends a sensitive image or two by accident.

“Assume a case wherein you’re a part of a group with 2,000,00 members and you accidentally share a media file not meant to be shared in that particular group and proceed to delete by checking “delete for all members” present in the group,” Mishra notes. “You’re relying on a functionality that is broken since your file would still be present in storage for all users.”

Mishra verified the validity of the bug in Telegram for Android version 5.10.0 (1684) and it is possible the problem also impacted Telegram for Windows and iOS, but tests were not performed.

After submitting his findings to Telegram, the messaging service accepted the research and accompanying proof-of-concept (PoC). A fix has been included in the latest version of Telegram, version 5.11.

Mishra was awarded €2,500 ($2,749) for the report.

TechRepublic: Google hopes to protect users with open source differential privacy library

In August, Check Point researchers disclosed vulnerabilities in the WhatsApp messaging platform which could be exploited to “essentially put words in [a contact’s] mouth.”

The bugs allowed attackers to intercept and manipulate messages through the service — which is protected via end-to-end encryption — as well as change the identity of senders, and to send messages which are marked as ‘private’ but could be viewed publicly in a group chat.

Facebook said that one of the vulnerabilities has been fixed, but the other two were problematic due to structural and architectural limitations.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0