Telegram Self-destructing Audio and Video Files

Recently, Telegram has met with a security problem regarding video and audio. Here, the videos and audios were not being deleted from the user’s macOS devices as it was assumed.

We all know that Telegram gives the option to export videos with a “self-destruction” feature, through which it automatically gets deleted from the reception. The security expert has identified this flaw as CVE-2021-27204.

The experts asserted that in the case of Mac, the videos only remained hidden; in reality, it wasn’t deleted from the account. Telegram has 500 million active users, and all are suffering from a logical bug that exists in Telegram for macOS.

Technical Report

However, the experts have given a brief analysis on the technical report, initially, open Telegram for macOS and transfer recorded audio or video message in regular chat, here the application drops the sandbox path where the recorded message is saved in the “.mp4” file.

The security analyst, Dhiraj Mishra has transfered, an audio/video message in secret chat and he has noticed that the URI was not leaked, but the recorded audio/video message still gets stored in the path.

Passcode Saved in Plain Text

In the Secret Chat security issue, the security expert, Dhiraj Mishra has found that Telegram was collecting the user’s local passcodes so that it can unlock the app in plain text, and this flaw was identified as CVE-2021-27205.

But, the plaintext passcodes were collected in the Users/[username]/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram/accounts-metadata in the JSON file.

The security analyst, Dhiraj Mishra, has himself tested the vulnerability, and he proved that all messages were sent are still present in the memory after being deleted from the chat list.

Reward

Apart from this, Telegram apparently has saved the local passcode unencrypted in clear text under macOS. But, both the security gaps have affected version 7.3 of Telegram, but it was patched later in version 7.4.

Moreover, the computer scientist who has fixed the vulnerability has received a reward of 3000 euros from Telegram for fixing all the security holes. 

The second vulnerability was also discovered by Mishra, and this vulnerability saves the local passcode of the users so that they can unlock the app in cleartext.

But it was fixed in another Telegram version 7.4 for the Mac, and the experts who have fixed the vulnerability have also got a reward from Telegram.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Leave a Reply