Telegram, a privacy focused messaging app with millions of users, has fixed a bug allowing users to recover media that was ‘unsent’ by other people.
Telegram, offers a messaging feature that allows users to “unsend” sent messages that were sent by mistake or otherwise. This removes the message from other people’s inboxes. However while the app was removing messages, images and videos that were sent and later unsent where still saved on a users device.
Dhiraj Mishra, the security researcher who found the privacy issue, published his findings in a blogpost. (According to TechCrunch Mishra also shared his findings exclusively with TechCrunch, a strange use of exclusively, but I digress.) Said the Android version of Telegram was permanently storing photos and videos in the device’s internal storage. Saying a users would still have a sent and unsent image stored under `/Telegram/Telegram Images/` folder, Dhiraj concluded that the feature was only deleting the image from the chat window.
In the blogpost Mishra shares the process used by competing apps, with a similar unsend message feature. In WhatsApp a feature called “Delete for everyone” was in fact deleting the media from the device. Once a phone was effectively unsent, it was fully removed `/Whatsapp/Whatsapp Media/Whatsapp Images/` folder. WhatsApp also required the same permission as Telegram when it comes to storage which is `read/write/modify`.
According to Mishra’s blog post, this issue holds true for Telegram “supergroups” as well. He gives an example of a case where a user is part of a group with 2,000,00 members and accidentally shares an image. When that person clicks “delete for all members” they were relying on a broken functionality. As the files would still be present in storage for all users phones.
Mishra says the Affected version of telegram is the latest stable version (5.10.0 (1684)) of Telegram for Android. He says while he didn’t try this with Telegram for iOS or Windows, he does assume this issue would exist for those platforms. This issue didn’t impact users who utilized the feature of “New Secret Chat” in Telegram where no such traces of media where left.
The good news, Mishra says he submitted this to Telegram sec-team and the team fix the problem, he was also awarded €2,500 by Telegram.
To be clear this is a problem more around privacy than true security. It has been fixed and telegram, handled this problem in a way befitting a company whose focus is privacy and security.
Header Image: Dhiraj Mishra