A hidden flaw in the Telegram secure-messaging service could expose user passwords, a researcher found. The service may also expose media files from self-destructing messages.
Dhiraj Mishra, a security consultant working in Dubai, revealed in a blog post yesterday (Feb. 11) that the Mac desktop client for Telegram indefinitely preserved audio and video files from self-destructing messages.
He did some more poking around and found that the Mac Telegram client also stored user passwords in plain text. Neither of these security lapses is a good thing. Malware or a crafty intruder could have found both sets of files.
“Telegram fails again in terms of handling the user’s data,” Mishra wrote in his blog post, sarcastically titled “The ‘P’ in Telegram Stands for Privacy.”
The Mac client appropriately deleted self-destructing messages, Mishra wrote. But if any video or audio files were attached to those messages, those files could still be found buried deep in the Mac’s filesystem. Anyone, or anything, that knew where to look could find them.
Passwords were written in plain text in the user’s Telegram metadata, where it also could have been found by attackers.
Mishra told Bleeping Computer that he reported the flaws to Telegram in December and received a 3,000-euro bug bounty for his trouble.
Telegram fixed both flaws with the 7.4 update in late January. If you’re using Telegram on a Mac, make sure your client software is up-to-date.
Telegram has seen a spike in new users recently, after a privacy-permissions change at WhatsApp prompted an exodus from the Facebook-owned service.
Many security professionals aren’t convinced that Telegram is very safe to use for highly sensitive communications. They instead recommend the Signal service, which uses the same encryption as WhatsApp.
Mishra ended his blog with a clear indication of where he stands on the issue, embedding Elon Musk’s now-famous tweet to “Use Signal.” (Here’s how.)