Security researchers have uncovered a easy strategy to circumvent the self-destructing messages feature in popular chat software Telegram.
In a weblog publish, safety firm Trustwave detailed two separate vulnerabilities in Telegram for macOS, each of which compromise the effectiveness of the privacy feature.
The first will be abused to retrieve message knowledge (photographs, video messages, voice recordings and shared areas) even after the self-destruct course of has been triggered, whereas the latter lets somebody entry media with out opening the message and setting off the self-destruct timer.
Both eventualities are made doable by the best way wherein Telegram shops message content material in cache on macOS gadgets, however different working techniques aren't affected.
Telegram privacy options
The self-destructing messages choice is housed throughout the Telegram Secret Chat mode, which gives users an extra layer of privacy and safety afforded by end-to-end encryption. This means no third-party has entry to the messages despatched back and forth, together with Telegram.
Self-destructing messages are speculated to take this a step additional, permitting users to set a timer after which messages and related media are deleted from each gadgets and not using a hint. However, the 2 bugs found by Trustwave seem to render the feature successfully out of date.
Trustwave says it reported each safety points to Telegram, which took motion to plug up one however not the opposite. At the time of writing, Telegram for macOS can nonetheless be abused to realize entry to media recordsdata with out opening a self-destructing message.
As a justification for the choice to depart the second problem unaddressed, Telegram offered researchers with the next assertion:
“Please note that the primary purpose of the self-destruct timer is to serve as a simple way to auto-delete individual messages. However, there are some ways to work around it that are outside what the Telegram app can control (like copying the app’s folder), and we clearly warn users about such circumstances.”
In its weblog publish, Trustwave additionally notes that it was compelled to say no the provide of a bug bounty reward, the receipt of which might have prevented the researchers from disclosing their findings to the general public.
“Bug bounties are a welcome reward for individual researchers providing what amounts to a security audit that results in a better product and a more secure user base,” wrote Reegun Jayapaul, Lead Threat Architect.
“However, bug bounties that require permanent silence about a vulnerability do not help the broader community to improve their security practices and can serve to raise questions about what exactly the bug bounty is compensating the individual for - reporting a vulnerability or their silence to the community.”
Telegram has not but responded to our request for a response to this criticism.
Source {link}