Self-destructing media attachments in Telegram for MacOS are interceptable
Self-destructing media attachments such as audio messages, photos, videos or shared locations can be intercepted and copied in the macOS version of Telegram. That reports a researcher from Trustwave SpiderLabs. The attachments can be found in the cache directory.
According to researcher Reegun Jayapaul, any user of Telegram for MacOS can view and copy the Secret Chat media attachments by taking a look at the app’s cache folder. A user can view and even delete the file there without the sender receiving a notification in the app. Only when the attachment has been opened in the chat app will a timer be activated that will delete the file in the cache folder.
Jayapaul also discloses a bug he discovered in Telegram 7.5. for macOS. In this version, media attachments sent in a Secret Chat were not automatically cleared from the cache. This is despite the fact that the messages were read in the app and should automatically become destructive after a certain amount of time. After reporting the bug, the issue was resolved in Telegram 7.8.1 for MacOS, according to the researcher. Whether the same problems also occur on Windows and Linux is not clear.
Jayapaul reports that he has not reported the bug through Telegram’s official bug bounty program. According to him, the contractual obligations of this program would prevent him from making the bug, and its possible consequences, public.