Telegram on Mac Left Secret Chat Stored
A security researcher Dhiraj Mishra has discovered the vulnerability in the app version 7.3 on December 26, 2020. However, the issue was not solved even in the 7.4 version that is released on 29 January. Telegram app conversations are not end-to-end encrypted by default until the users enable the feature called “Secret Chat”. This feature keeps the data encrypted on Telegram servers also. The security researcher discovered the flaw in the secret chat feature. He found out, whenever the user sends media files in a normal chat, the app reveals the destination of where the folder of the image, video is being stored. The media file stays in the local storage folder even after getting deleted automatically from the chat window. Mishra found out that the app for macOS version 7.3 is storing local passcodes that the user has set. And this means any user can find your passcode and get access to your chats. The local passcode is stored in plain text in JSON file located under “/Users/<user_name>/Library/Group Containers/<*>.ru.keepcoder.Telegram/accounts-metadata/.” According to the researcher, For reporting about the two flaws, security researcher Dhiraj Mishra was awarded €3,000 as a part of its program. “During my assessment, I found that self-destructed messages, in this case, recorded audio/video messages, are actually never deleted and leave a local copy under a custom/sandbox path. The recorded audio/video message gets stored in mp4 or mov formats, and still remains even after a user delete for everyone from the normal chat.” In January, Telegram got 500 million monthly active users, as Whatsapp brought a privacy policy update. Because of this update, many users have switched to Telegram and Signal.
