Telegram’s auto-delete feature is not what it seems to be. The application now gives researchers room to find a loophole.

Safety research teams have reportedly exposed an easy way to get around the self-destructing messages characteristic of the famous chat application Telegram.

Bug detected on Telegram

According to a blog post from Trustwave.com, the privacy company Trustwave elaborately detailed two different weaknesses in the Telegram application for macOS, which both vulnerabilities compromise the usefulness of the security feature.

The first vulnerability is said to be abused to recover data, including video messages, images, shared locations, and voice recordings. Recovery of data happens even after the self-destruct timer has been activated.

On the other hand, the latter vulnerability allows others to manipulate the media even without accessing the message and disable the self-destruct timer.

Both of the situations are achievable by how the application saves messages and data contained in the storage on macOS devices. However, it does not affect different operating systems.

Security features

The Self-Destruct Timer of the application can be located within the Telegram Secret Chat mode. In addition, this feature also gives users an extra layer of privacy and safety provided by end-to-end encryption, which also means that no other party will have an access to the exchanges of data, including the application.

The said feature of Telegram was supposed to take the application to another level, granting the users to set a trigger after which the messages and other exchanged data are removed permanently from both devices with no hint of any traces. Unfortunately, the application bugs uncovered by Trustwave clearly show that the feature is ineffective.

Is the application’s Self-Destruct Timer dangerous?

Trustwave has announced that they have already reported the privacy issues to Telegram. This opts the application to block just one problem, but not including the other. In addition, Telegram for macOS can still be taken advantage of, which means they still have access to the files without triggering a self-destructing message.

As an explanation from Telegram in leaving the second problem ignored, the researchers expressed that the main objective of the self-destruct timer is to serve mainly as an auto-delete option for individual messages.

Although there are other ways to manipulate it that are not within the application’s control, which includes duplicating the application’s folder, Telegram has also reported that they have notified the users about such possible situations.

Bug Bounty Reward

As stated in its blog post, Trustwave also admitted that it was obligated to reject the bug bounty reward. This would have been the way to prevent the researchers from revealing the application’s issues to its users.

According to Reegun Jayapaul, the Lead Threat Architect of Trustwave, bug bounties are rewards for researchers giving what is equivalent to a privacy check that should result in a far better outcome and a more protected user base. Also, rewards that oblige silence about issues noted are of no help to the company in improving its privacy practices.

This also gives the public a negative idea of what a bug bounty reward is. Is it to repay the researcher for divulging an issue or is it to silence them?

Telegram is yet to respond to this criticism.