For any new users who left WhatsApp for Telegram, the latest glitch is a stark reminder that, unfortunately, no messaging service is completely secure.
The latest privacy-defeating vulnerability was unearthed by security researcher Dhiraj Mishra. It’s found in version 7.3 of the macOS app. Telegram was notified about the issue on December 26, 2020. And following an update on January 29, the issue has been resolved in version 7.4 of the macOS app. Mishra has allowed enough time for most users to update their app before speaking publicly about the bug – but if you haven’t yet updated Telegram on your MacBook, iMac, Mac Pro or Mac mini, you’ll want to head to the App Store to download that right away.
Unlike Signal and WhatsApp, Telegram does not use end-to-end encryption for its messages by default. Instead, users need to opt-in to a mode called “Secret Chat,” to enable this crucial privacy measure. When this mode is enabled, users have the option to send “self-destructing” messages. These are not only end-to-end encrypted – thereby preventing anyone apart from the sender and the recipient from seeing the contents (including Telegram itself) – but also automatically deleting the content from both phones after a pre-determined amount of time. So, the recipient isn’t able to go back and double-check the encrypted messages days later.
However, Mishra discovered that when audio or video messages were recorded on the macOS application, it was possible to track down the .mp4 recording on the laptop hard-drive. Once you know where the file is stored, it’s possible to dive into the folders on your Mac and retrieve the recording – even when it’s vanished from the chat window within Telegram. Although playing the video or listening to the audio clip within the app is no longer possible, the file itself isn’t deleted and remains accessible provided you know where to look.
“Telegram says ‘super secret’ chats do not leave traces, but it stores the local copy of such messages,” Mishra clarified to The Hacker News.