Telegram Secret Chat on Mac Found Exposing Private Data, App Issues Patch

Telegram has been hailed as a safe communication app, but was recently spotted with a significant security flaw that exposed private data.


Telegram shot to major popularity in light of WhatsApp and its privacy policy debacle. Alongside Signal, Telegram has been hailed as one of the more secure alternatives to everyday messagiing. However, a recent update has revealed that Telegram may not have been as private and secure as it was billed. Reported by News18, security researcher Dhiraj Mishra reportedly revealed that Telegram for macOS had a key privacy flaw that stored content from disappearing messages from its Secret Chat feature, locally on users’ devices. Alongside this breach, Telegram was also spotted storing local device passwords in plain text, marking two major security flaws that the service’s Mac app had so far. The flaws have now been patched in the new Telegram for Mac app version 7.4, Mishra confirmed to News18.

According to the report, the Secret Chat feature, which is the encrypted conversation mode of the app, has a self-destructing messages mode, where users can share audio, video and images that automatically disappear after 20 seconds. However, Mishra found that when content is shared in the standard, non-encrypted mode, the app leaves behind a trace, using which users can find the target folder where media files are saved. In the Secret Chat mode, while Telegram does mask the path of the folder where content is saved, the target folder is still the same as for when it comes to disappearing files. On top of that, media shared in the disappearing chat mode are not deleted from local storage, even after the content disappears from the chat window.

Using this flaw, any user with targeted intention could potentially find content that was shared for temporary periods, and misuse it in the long run, thereby exploiting user privacy. Mishra conveyed the vulnerability via Telegram’s bug bounty programme, who acknowledged the flaw and certified Mishra with a bounty of EUR 2,000. Telegram also acknwoledged the flaw where local passwords were being stored in plain text, and paid an additional bounty of EUR 1,000 for the same.

The incident reflects on the general extent of cyber security flaws that are spotted in all apps today. The nature of these flaws range from exposing storage directories (such as the one that happened here), as well as zero-day and unpatched bugs that enable remote code execution and privilege escalation in systems.