Snynet Solution Logo
MON - SUN: 10 AM - 6 PM
+60 11 5624 8319


This popular Telegram privacy feature is practically useless for some users

Image Description

Security researchers have uncovered a simple way to circumvent the self-destructing messages feature in popular chat application Telegram.

In a blog post, security company Trustwave detailed two separate vulnerabilities in Telegram for macOS, both of which compromise the effectiveness of the privacy feature.

The first can be abused to retrieve message data (images, video messages, voice recordings and shared locations) even after the self-destruct process has been triggered, while the latter lets someone access media without opening the message and setting off the self-destruct timer.

Both scenarios are made possible by the way in which Telegram stores message content in cache on macOS devices, but other operating systems are not affected.

Telegram privacy features

The self-destructing messages option is housed within the Telegram Secret Chat mode, which offers users an additional layer of privacy and security afforded by end-to-end encryption. This means no third-party has access to the messages sent to and fro, including Telegram.

Self-destructing messages are supposed to take this a step further, allowing users to set a timer after which messages and associated media are deleted from both devices without a trace. However, the two bugs discovered by Trustwave appear to render the feature effectively obsolete.

Trustwave says it reported both security issues to Telegram, which took action to plug up one but not the other. At the time of writing, Telegram for macOS can still be abused to gain access to media files without opening a self-destructing message.

As a justification for the decision to leave the second issue unaddressed, Telegram provided researchers with the following statement:

“Please note that the primary purpose of the self-destruct timer is to serve as a simple way to auto-delete individual messages. However, there are some ways to work around it that are outside what the Telegram app can control (like copying the app’s folder), and we clearly warn users about such circumstances.”

In its blog post, Trustwave also notes that it was forced to decline the offer of a bug bounty reward, the receipt of which would have prevented the researchers from disclosing their findings to the public.

“Bug bounties are a welcome reward for individual researchers providing what amounts to a security audit that results in a better product and a more secure user base,” wrote Reegun Jayapaul, Lead Threat Architect.

“However, bug bounties that require permanent silence about a vulnerability do not help the broader community to improve their security practices and can serve to raise questions about what exactly the bug bounty is compensating the individual for - reporting a vulnerability or their silence to the community.”

Telegram has not yet responded to our request for a response to this criticism.


07 Aug 2021



Other Blog

  • Microsoft Defender for Endpoint finally gets this important feature

    Microsoft’s endpoint security platform can now detect and secure unmanaged devices as well.

    Read More
  • Intel joins forces with Asus to launch its first Iris Xe desktop graphics cards

    The graphics will be available in pre-built systems, so you might not be able to buy one

    Read More
  • Here’s an impressive free SEO tool that you've got to test right now

    Making the SEO pie bigger, one slice at a time.

    Read More
  • You can now run Python on Apple M1 macOS

    Good news for the M1-wielding data scientists.

    Read More

Find Out More About Us

Want to hire best people for your project? Look no further you came to the right place!

Contact Us