Telegram is a cloud-based instant messaging and voice over IP service, that allows users to send messages and exchange photos, videos, stickers, audio and files of any type.
What makes Telegram popular, is its encryption. Messages and media files in the app are encrypted when stored in its servers. The client-server communication is also secured using end-to-end encryption, making Telegram one of the most secured messaging app in the market.
However, a bug was present, that prevented stored pictures on the recipient's phone, to be deleted even after the sender 'unsend' them.
The vulnerability was discovered by security researcher Dhiraj Mishra, and was present on Telegram version (5.10.0 (1684)) for Android.
On his blog post, Mishra said that Telegram stored images in the /Telegram/Telegram Images/ folder in the phone‘s internal storage even if a user chooses to remove it for all users. Even worse, it also happened on group chats as well which can have as many as 200,000 members.
According to Mishra:
"I found this bug when I was researching about Telegram and MTProto protocol."
The messenger launched the 'unsend' feature back in 2017, to allow users to delete a message for everyone in the chat.
Telegram uses 'read/write/modify' permission of the USB storage to have free access to its folders. Technically, this should make it capable of writing something to users' phone, as well as deleting things when needed. But a bug prevented it from properly deleting files.
In comparison, WhatsApp also has the 'unsend' feature, which practically does the same thing.
Mishra that tried replicating the issue, failed on the Facebook-owned chat app, meaning that the app does what it should, and capable of removing files once 'unsend' is initiated by the sender.
According to Mishra, "WhatsApp takes the same permission when it comes to storage which is 'read/write/modify'"
As a workaround, Telegram users can utilize the feature of 'New Secret Chat' in Telegram, which doesn't have this flaw. Using the secret chat, all files are removed once the sender unsend them, just as promised.
"This issue could have a bigger impact and I am not sure how far this was in place; the word privacy of Telegram fails here again, and users trust against the Telegram is at risk."
Mishra submitted this issue to Telegram security team via email, and the company quickly pushed a fix on version 5.11, published on September 5th. Disclosing the flaw, Mishra received €2,500 award from Telegram for his effort.