Telegram’s Self-Destructing Messages feature is considered one of the best app security functionality. However, experts claimed it could still leak data.
Telegram is considered one of the safest messaging apps across the globe. Since it has advanced security features that could prevent hackers and other malicious actors from accessing your direct messages or DM, many consumers prefer using it instead of WhatsApp and other messaging services that are currently facing various concerns and accusations.
One of Telegram‘s anti-hacking functionalities is its so-called Self-Destructing Messages feature, which allows two users to communicate with one another without saving any data about their conversation. However, experts discovered that there’s a way on how a tech expert could pass or work their way around to access the information of the receiver and sender.
Security researchers have uncovered a simple way to circumvent the self-destructing messages feature in the popular chat application Telegram. In a blog post, security company Trustwave detailed two separate vulnerabilities in Telegram for macOS, both of which compromise the effectiveness of the privacy feature.
Why the App’s Self-Destruction Messages Feature Is Not Safe
The experts who discovered the flaw of Telegram‘s Self-Destruction Messages feature. They explained that the first issue could be used to retrieve message data (images, video messages, voice recordings, and shared locations) even after the self-destruct process has been triggered, while the latter lets someone access media without opening the message and setting off the self-destruct timer.
Both scenarios are made possible by the way in which Telegram stores message content in cache on macOS devices, but other operating systems are not affected. The self-destructing messages option is housed within the app’s Secret Chat mode, which offers users an additional layer of privacy and security afforded by end-to-end encryption. This means no third party has access to the messages sent to and fro, including Telegram.
Telegram’s Self-Destructing Messages are supposed to take this a step further, allowing users to set a timer after which messages and associated media are deleted from both devices without a trace. However, the two bugs discovered by Trustwave appear to render the feature effectively obsolete.
Trustwave says it reported both security issues to Telegram, which took action to plug up one but not the other. At the time of writing, the app’s version for macOS can still be abused to gain access to media files without opening a self-destructing message. They explained that “the primary purpose of the self-destruct timer is to serve as a simple way to auto-delete individual messages.”
The researchers, who discovered the application’s latest security feature, added that there are some ways to work around it that are outside what the app can control (like copying the app’s folder), and we clearly warn users about such circumstances. Trustwave also notes that it was forced to decline the offer of a bug bounty reward, the receipt of which would have prevented the researchers from disclosing their findings to the public.