Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Telegram Self-Destruct? Not Always

Summary

Secret-Chats in Telegram use end-to-end encryption, which is meant for people who are concerned about the security and privacy of their chat history. The messages can be read only by sender and receiver, and not even Telegram administrators have the encryption keys necessary to read any chats. From the Telegram FAQ:

“When a secret chat is created, the participating devices exchange encryption keys using the so-called Diffie-Hellman key exchange. After the secure end-to-end connection has been established, we generate a picture that visualizes the encryption key for your chat. You can then compare this image with the one your friend has — if the two images are the same, you can be sure that the secret chat is secure, and no man-in-the-middle attack can succeed.”

The algorithm also allows for the circumstance where if person ‘A’ deletes the messages in a chat, then the messages will also be deleted from person ‘B’’s device. This model can be extended using an additional feature included with the Secret-Chats called Self-Destruct Chats.

Self-Destruct Chats are timer-based; the messages are automatically deleted after the timer is set up by any of the users, which means any chats, files will be deleted, leaving no traces behind on both devices; this feature is highly focused on the privacy of the users

I have identified the privacy flaws in Telegram's self-destruct chats. One can retrieve audio, video messages, shared locations, and files even after the self-destruct feature works on both devices.

The findings are focused only on Secret-Chat with Self-Destruct Chat settings; below is the POC video:

 

Vulnerability Description

The bug is present in macOS Telegram version 7.5. Any shared location, audio, video, or documents that are sent in Telegram are stored in the Telegram cache in this path:

/Users/Admin/Library/Group Containers/XXXXXXX.ru.keepcoder.Telegram/appstore/account-1271742300XXXXXX/postbox/media

The Secret-Chat files are stored in this directory with the prefix “secret-file-xxxxxx”

 

Root Cause:

By default, any media files, except attachments, sent to Telegram are downloaded to the above cache folder. Shared locations are stored as a picture.
 

How to Exploit?

Scenario 1: Audio, Video, Attachments, Shared Location leaks even after self-destructing on both devices

Bob sends a media message to Alice (again, whether voice recordings, video messages, images, or location sharing). Once Alice reads the message, the messages will be deleted in the app as per the self-destruct feature. However, the files are still stored locally inside the cache folder available for recovery.

Impact: Both Bob and Alice lose their privacy

 

Image001

Figure 1: Recovering a Self-Destruct video from the cache

 

Image002

Figure 2: Recovering Self-Destruct audio from the cache

 

Scenario 2: Audio, Video, Attachments, Shared Location leaks without opening or deleting

Bob sends a media message to Alice (whether voice recordings, video messages, images, or location sharing). Without opening the message, since it may self-destruct, Alice instead goes to the cache folder and grabs the media file. She can also delete the messages from the folder without reading them in the app. Regardless, Bob will not know whether Alice has read the message, and Alice will retain a permanent copy of the media.

Impact: Bob loses his privacy

Responsible Disclosure Process

We reported these issues to Telegram per our Responsible Disclosure Policy. They fixed the main vulnerability in Scenario 1, where any chats/media can be recovered from the cache even after they are supposedly self-deleted after opening the message in the app. The initial fix was incomplete as it didn’t apply to shared locations. Telegram took a little longer with that, but that fix has been published too.

However, it’s still possible to exploit the caching issue in Scenario 2 to access the media files. No screenshots or screen recordings are necessary. Simply copy the file out of the cache directory before opening it in the application.

Telegram decided against fixing this issue and responded:

“Please note that the primary purpose of the self-destruct timer is to

serve as a simple way to auto-delete individual messages. However, there

are some ways to work around it that are outside what the Telegram app

can control (like copying the app’s folder), and we clearly warn users

about such circumstances: https://telegram.org/faq#q-can-telegram-protect-me-against-everything

I believe the fix would be a simple one. As I stated initially, the self-destruct chats work exactly as intended for attachments. If you attach media files to a message, the attachments cannot be accessed in the cache prior to clicking the message. Only after the message is opened in the app are the attachments downloaded and then deleted after the timer.

The fix for the first issue is available in version 7.8.1 or later for MacOS.

 

Afterword: Bug Bounties and Public Disclosure

I was delighted to be offered a bug bounty for this discovery; however, upon reading the contract for the bounty, we noticed that it prevented public disclosure of any of my findings. Upon asking for clarification, Telegram confirmed that signing the contract would prevent disclosure in any form. Public disclosure is an important part of the vulnerability discovery and remediation process. It is essential for the public in a variety of ways. For instance, it communicates the full risk of not applying patches; educates the security community in both the nature of a vulnerability as well as the techniques and tools used to uncover such vulnerabilities; it even helps system and network administrators identify vulnerable software.

Bug bounties are a welcome reward for individual researchers providing what amounts to a security audit that results in a better product and a more secure user base. However, bug bounties that require permanent silence about a vulnerability do not help the broader community to improve their security practices and can serve to raise questions about what exactly the bug bounty is compensating the individual for – reporting a vulnerability to the bounty payer or their silence to the broader community. This is especially serious in this case, where one of the issues reported went unaddressed.

Telegram’s history is also inconsistent concerning bounties and disclosure. Despite confirmation that their bounty contract precludes disclosure, there is evidence that bounties are paid despite disclosure. We’ve seen two instances of this, including a case of a very similar issue that was patched and disclosed back in February. Requests for clarity on this went unanswered from Telegram.

Because of these concerns and my commitment to information security, I have declined the bug bounty in exchange for disclosure.

Reference

TWSL2021-011: Privacy Issues in Telegram Self-Destruct Feature on macOS

Latest SpiderLabs Blogs

Important Security Defenses to Help Your CISO Sleep at Night

This is Part 13 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report details the security issues facing public sector security teams as...

Read More

How to Create the Asset Inventory You Probably Don't Have

This is Part 12 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More