Secret-Chats in Telegram use end-to-end encryption, which is meant for people who are concerned about the security and privacy of their chat history. The messages can be read only by sender and receiver, and not even Telegram administrators have the encryption keys necessary to read any chats. From the Telegram FAQ:
“When a secret chat is created, the participating devices exchange encryption keys using the so-called Diffie-Hellman key exchange. After the secure end-to-end connection has been established, we generate a picture that visualizes the encryption key for your chat. You can then compare this image with the one your friend has — if the two images are the same, you can be sure that the secret chat is secure, and no man-in-the-middle attack can succeed.”
The algorithm also allows for the circumstance where if person ‘A’ deletes the messages in a chat, then the messages will also be deleted from person ‘B’’s device. This model can be extended using an additional feature included with the Secret-Chats called Self-Destruct Chats.
Self-Destruct Chats are timer-based; the messages are automatically deleted after the timer is set up by any of the users, which means any chats, files will be deleted, leaving no traces behind on both devices; this feature is highly focused on the privacy of the users
I have identified the privacy flaws in Telegram's self-destruct chats. One can retrieve audio, video messages, shared locations, and files even after the self-destruct feature works on both devices.
The findings are focused only on Secret-Chat with Self-Destruct Chat settings; below is the POC video:
The bug is present in macOS Telegram version 7.5. Any shared location, audio, video, or documents that are sent in Telegram are stored in the Telegram cache in this path:
The Secret-Chat files are stored in this directory with the prefix “secret-file-xxxxxx”
By default, any media files, except attachments, sent to Telegram are downloaded to the above cache folder. Shared locations are stored as a picture.
How to Exploit?
Scenario 1: Audio, Video, Attachments, Shared Location leaks even after self-destructing on both devices
Bob sends a media message to Alice (again, whether voice recordings, video messages, images, or location sharing). Once Alice reads the message, the messages will be deleted in the app as per the self-destruct feature. However, the files are still stored locally inside the cache folder available for recovery.
Impact: Both Bob and Alice lose their privacy
Figure 1: Recovering a Self-Destruct video from the cache
Figure 2: Recovering Self-Destruct audio from the cache
Scenario 2: Audio, Video, Attachments, Shared Location leaks without opening or deleting
Bob sends a media message to Alice (whether voice recordings, video messages, images, or location sharing). Without opening the message, since it may self-destruct, Alice instead goes to the cache folder and grabs the media file. She can also delete the messages from the folder without reading them in the app. Regardless, Bob will not know whether Alice has read the message, and Alice will retain a permanent copy of the media.
Impact: Bob loses his privacy
Responsible Disclosure Process
We reported these issues to Telegram per our Responsible Disclosure Policy. They fixed the main vulnerability in Scenario 1, where any chats/media can be recovered from the cache even after they are supposedly self-deleted after opening the message in the app. The initial fix was incomplete as it didn’t apply to shared locations. Telegram took a little longer with that, but that fix has been published too.
However, it’s still possible to exploit the caching issue in Scenario 2 to access the media files. No screenshots or screen recordings are necessary. Simply copy the file out of the cache directory before opening it in the application.
Telegram decided against fixing this issue and responded:
“Please note that the primary purpose of the self-destruct timer is to
serve as a simple way to auto-delete individual messages. However, there
are some ways to work around it that are outside what the Telegram app
can control (like copying the app’s folder), and we clearly warn users
about such circumstances: https://telegram.org/faq#q-can-telegram-protect-me-against-everything”
I believe the fix would be a simple one. As I stated initially, the self-destruct chats work exactly as intended for attachments. If you attach media files to a message, the attachments cannot be accessed in the cache prior to clicking the message. Only after the message is opened in the app are the attachments downloaded and then deleted after the timer.
The fix for the first issue is available in version 7.8.1 or later for MacOS.
Afterword: Bug Bounties and Public Disclosure
I was delighted to be offered a bug bounty for this discovery; however, upon reading the contract for the bounty, we noticed that it prevented public disclosure of any of my findings. Upon asking for clarification, Telegram confirmed that signing the contract would prevent disclosure in any form. Public disclosure is an important part of the vulnerability discovery and remediation process. It is essential for the public in a variety of ways. For instance, it communicates the full risk of not applying patches; educates the security community in both the nature of a vulnerability as well as the techniques and tools used to uncover such vulnerabilities; it even helps system and network administrators identify vulnerable software.
Bug bounties are a welcome reward for individual researchers providing what amounts to a security audit that results in a better product and a more secure user base. However, bug bounties that require permanent silence about a vulnerability do not help the broader community to improve their security practices and can serve to raise questions about what exactly the bug bounty is compensating the individual for – reporting a vulnerability to the bounty payer or their silence to the broader community. This is especially serious in this case, where one of the issues reported went unaddressed.
Telegram’s history is also inconsistent concerning bounties and disclosure. Despite confirmation that their bounty contract precludes disclosure, there is evidence that bounties are paid despite disclosure. We’ve seen two instances of this, including a case of a very similar issue that was patched and disclosed back in February. Requests for clarity on this went unanswered from Telegram.
Because of these concerns and my commitment to information security, I have declined the bug bounty in exchange for disclosure.