The Privacy Projects

A New Problem Has Surfaced with Telegram’s Privacy Features

A security expert has found out that abusing the delete feature on the message feed of any conversation log on Telegram, threatens the privacy of the user. Apparently is not so much a security issue per-se since the problem is more akin to a privacy issue. The whole motif of Telegram is based on privacy, and with ten million-plus downloads from the Android Play-store, users want some answers.

Telegram Privacy Hack

The glitch, as detected, seems to work like this: It takes place when we delete messages from the log of a conversation. Either because it was sent by mistake or because we mistimed our writing. After the message is sent to the recipient and deleted, the original text still remains in the internal log of the user located at /Telegram/Telegram Images/path.

The Presence of the Issue and Short Term Visible Effects

The glitch being discussed becomes highly problematic in if we belong in any of Telegram’s super communities. It all begins if you are in a group that has over a hundred members, and you share a message or a file not meant for the community. If you proceed to delete it immediately, it won’t happen as expected. The data will no longer be visible for you, but the feature “delete for all members” is broken. So, the file or text will be available in the storage of all users of the group.

There is also the fact that Telegram takes date from the read/write/modify permission check found on most USB storage devices. This means that the confidential data should be deleted from another user device, but it doesn’t happen that way. Whatsapp also has the same feature, but it works much more efficiently with the corresponding licenses and permissions. It’s also an evident process on this app that can be easily viewed in the route /Whatsapp/Whatsapp Media/Whatsapp Images/

Affected Versions of the Software and Fix

So far, the reported versions of the software with this problem are the latest stable versions found on the Playstore: the 5.10.0 (1684) for Android. The test could not be performed on iOS or Telegram for Windows. It’s safe to say that they both have the same problem because they have the same build to some extent. The findings were submitted to Telegram who rewarded the developer with a bounty of €2,500 for his results. A fix for these issues is still being pushed, but it still has to be tested in large communities.