According to the report, the Secret Chat feature, which is the encrypted conversation mode of the app, has a self-destructing messages mode, where users can share audio, video and images that automatically disappear after 20 seconds. However, Mishra found that when content is shared in the standard, non-encrypted mode, the app leaves behind a trace, using which users can find the target folder where media files are saved. In the Secret Chat mode, while Telegram does mask the path of the folder where content is saved, the target folder is still the same as for when it comes to disappearing files. On top of that, media shared in the disappearing chat mode are not deleted from local storage, even after the content disappears from the chat window.
Using this flaw, any user with targeted intention could potentially find content that was shared for temporary periods, and misuse it in the long run, thereby exploiting user privacy. Mishra conveyed the vulnerability via Telegram’s bug bounty programme, who acknowledged the flaw and certified Mishra with a bounty of EUR 2,000. Telegram also acknwoledged the flaw where local passwords were being stored in plain text, and paid an additional bounty of EUR 1,000 for the same.
The incident reflects on the general extent of cyber security flaws that are spotted in all apps today. The nature of these flaws range from exposing storage directories (such as the one that happened here), as well as zero-day and unpatched bugs that enable remote code execution and privilege escalation in systems.