A hidden flaw in the Telegram secure messaging service could reveal user passwords, a researcher found. The service can also expose media files from self-destruct messages.
Dhiraj Mishra, a security consultant working in Dubai, revealed in a blog post yesterday (February 11) that the Mac desktop client for Telegram has indefinitely preserved audio and video files from self-destructing messages.
He pointed a little more and found that the Mac Telegram client also stored user passwords in plain text. None of these safety deviations are good. Malware or a clever intruder could have found both sets of files.
“Telegram again fails to handle user data,”
The Mac client properly deleted self-destruct messages, Mishra wrote. However, if some video or audio files were associated with these messages, these files could still be found buried deep in the Mac file system. Anyone or anything who knew where to look could find them.
Passwords were written in plain text in the user’s Telegram metadata, where they could also be found by attackers.
Mishra told Bleeping Computer that he reported the errors to Telegram in December and received a 3,000 euro bug premium for his problems.
Telegram resolved both errors with the 7.4 update at the end of January. If you are using Telegram on a Mac, make sure your client software is up to date.
Telegram has seen an increase in new users recently, after a change of privacy permissions on WhatsApp requested an emigration from the Facebook-owned service.
Many security professionals are not convinced that Telegram is very safe to use for highly sensitive communications. Instead, they recommend the Signal service, which uses the same encryption as WhatsApp.
Mishra ended his blog with a clear indication of where he stands on the case, and incorporated Elon Musk’s now famous tweet to “Use Signal.” (This is how.)
