Telegram has fixed a privacy issue that involves a security failure in its message deletion feature. The feature is intended to allow users to delete messages from recipient devices in cases after being sent and when the users wish to recall their messages and any associated content.
The security failure was discovered by bug bounty hunter Dhiraj Mishra. It is possible to delete the text content of a message if a user selected the ‘Also Delete’ function in Telegram. But any images sent would remain in the recipient’s phone’s internal storage along the ‘/Telegram/Telegram Images/’ path.
Usually the delete feature becomes useful when a confidential image was mistakenly sent to a recipient not intended to receive it. The ‘Also Delete’ feature would essentially delete the image from the chat window but they would still be available in the recipient’s Telegram Images folder.
A similar messaging service, Facebook-owned WhatsApp also contains a similar feature called ‘Delete for Everyone’ that allows users to remove content including messages and images. But in WhatsApp, the media is also removed from storage at the same time.
Telegram’s privacy failure might not be a big issue in one-on-one chats, but it might create problems in ‘supergroup’ chat sessions that contain thousands of active members, especially if a user sends a sensitive image not meant to be shared in that particular group by accident. The feature “delete for all members” is of no use as the file would still be present in storage for all users.
The validity of the bug was verified in Telegram for Android version 5.10.0 (1684) and it is possible the problem also impacted Telegram for Windows and iOS, but tests were not performed.
Telegram accepted the research and accompanying proof-of-concept (PoC) submitted by Mishra who was also awarded for the report. A fix has been included in the latest version of Telegram, version 5.11.