A hidden flaw in Telegram’s secure messaging service could expose users’ passwords, a researcher found. The service can also expose media files to self-destruct messages.
Dhiraj Mishra, a security consultant based in Dubai, revealed in a blog post yesterday (February 11) that the Mac desktop client for Telegram has indefinitely preserved audio and video files from self-destructive messages.
He did more research and found that the Mac Telegram client also stored user passwords in plain text. None of these security breaches are a good thing. Malware or a cunning intruder may have found both sets of files.
“Telegram fails again in terms of handling user data,” wrote Mishra in his blog post, sarcastically titled “The ‘P’ in Telegram stands for privacy.”
The Mac client appropriately deleted self-destructive messages, Mishra wrote. But if any video or audio files were attached to these messages, those files could still be found buried in the Mac’s file system. Anyone, or anything, who knew where to look could find them.
Passwords were written in plain text in the user’s Telegram metadata, where they could also have been found by attackers.
Mishra told Bleeping Computer that he reported the Telegram failures in December and received a € 3,000 bug reward for his problems.
Telegram fixed both flaws with the 7.4 update in late January. If you are using Telegram on a Mac, make sure the client software is up to date.
Telegram has seen an increase in the number of new users recently, after a change in WhatsApp’s privacy permissions sparked an exodus from Facebook’s proprietary service.
Many security professionals are not convinced that Telegram is very secure for use in highly confidential communications. Instead, they recommend the Signal service, which uses the same encryption as WhatsApp.
Mishra ended his blog with a clear indication of his position on the subject, incorporating the now famous Elon Musk tweet for “Use Sign. “(See how.)