A hidden flaw in the secure messaging service Telegram could expose users' passwords, a researcher has found. The service also has the potential to expose media files from self-destructing messages.
Dhiraj Mishra, a security consultant working in Dubai, revealed in a blog post yesterday (February 11) that Telegram's Mac desktop client stores audio and video files from self-destruct messages indefinitely ...
He did some more digging and discovered that the Mac Telegram client also stores user passwords in plain text. Neither of these security lapses is a good thing. Malware or a cunning intruder could have found both files.
"Telegram has failed again in terms of handling user data," Mishra wrote in a blog post sarcastically titled "The 'P' in Telegram Stands for Privacy."
Mishra writes that Mac's client properly deleted the self-destructive messages. But if the message had video or audio files attached to it, those files could be buried deep in the Mac's file system. Anyone or anything can find them, if they know where to look.
Passwords were written in plain text in the user's Telegram metadata, which could also be found by an attacker.
Mishra told Bleeping Computer that he reported the flaw to Telegram in December and received a €3,000 bug bounty.
Telegram fixed both flaws in a 7.4 update in late January; if you are using Telegram on a Mac, make sure your client software is up to date.
Telegram has seen a recent surge in new users after WhatsApp's privacy permission changes prompted an exodus from the Facebook-owned service.
Many security experts do not believe Telegram is very secure to use for sensitive communications. Instead, they recommend the Signal service, which uses the same encryption as WhatsApp.
At the end of his blog, Mishra embedded Elon Musk's now-famous "Use Signal" tweet, clearly stating his position on the issue. (See how to do that here)
.
Comments