A hidden bug in the Telegram security messaging service could expose user passwords, a researcher found. The service can also expose media files to self-destruct messages.
Dhiraj Mishra, a security consultant working in Dubai, revealed in a blog post yesterday (February 11) that the Mac computer client for Telegram keeps audio and video files indefinitely from self-destructive messages.
He searched a bit further and found that the Mac Telegram client also stored user passwords in plain text. None of these security losses are a good thing. Software or a smart intruder could have found both sets of files.
“Telegram again fails in terms of handling user data,” Mishra wrote in his blog post, sarcastically titled ‘The’ P ‘in Telegram Stands for Privacy. “
The Mac client appropriately deleted self-destruct messages, Mishra wrote. But if there are any video or audio files attached to the messages, the files can still be buried deep in the Mac file system. Anyone, or anything, who knows where to look can find it.
Passwords were written in plain text in the Telegram metadata of the user, where they could also be found by attackers.
Mishra told Bleeping Computer that he reported the defects to Telegram in December and received a sum of 3,000 euros for his problems.
Telegram corrected both bugs with the 7.4 update at the end of January. If you use Telegram on a Mac, make sure your client software is up to date.
Telegram recently saw an increase in new users, after a change in privacy access to WhatsApp made a move out of the Facebook owner.
Many security personnel are not convinced that Telegram is very safe to use for very sensitive communications. They rather recommend the Signal service, which uses the same coding as WhatsApp.
Mishra closed his blog with a clear indication of where he stands in the case, and Elon Musk’s now famous celebrity tweet embedded in ‘Use Signal. “(Here’s how.)