A vulnerability was found in the macOS version of the popular messaging app Telegram, which violates user privacy. The issue was found by security researcher Dhiraj Mishra in Telegram 7.3 version. Its exploitation allowed access to self-destructing audio and video messages long after the disappearance those messages from secret chats.

 In comparison with Signal or WhatsApp, Telegram conversations are not encrypted by default, except when users use secret chats, which keeps data encrypted even on Telegram servers. The ability to send self-destructing messages is also available in secret chats.

According to the researcher, when a user records and sends an audio or video message via standard chat, the application transmits the exact path where the recorded message is stored in the ".mp4" format. When the secret chat option is enabled, the information of path is not transmitted, but the recorded message still gets stored in the same place.

Even in cases where the user receives a self-destructing message in the secret chat, the multimedia message remains available in the system after it has been removed from the chat screen.

"Telegram reports that “super secret” chats do not leave traces, but they store a local copy of such messages along a given path," Mishra explained.

The expert also discovered another issue in the macOS version of the Telegram app, in which local passwords were stored in clear text in a JSON file.

Both vulnerabilities were fixed in version 7.4.

Source: securitylab.ru