Front page layout
Sign up or login to join the discussions!
Ax Sharma –
Telegram patched another image self-destruction bug in its app earlier this year. This flaw was a different issue from the one reported in 2019. But the researcher who reported the bug isn’t pleased with Telegram’s months-long turnaround time—and an offered €1,000 ($1,159) bounty award in exchange for his silence.
Like other messaging apps, Telegram allows senders to set communications to “self-destruct,” such that messages and any media attachments are automatically deleted from the device after a set period of time. Such a feature offers extended privacy to both the senders and the recipients intending to communicate discreetly.
In February 2021, Telegram introduced a set of such auto-deletion features in its 2.6 release:
But in a few days, mononymous researcher Dmitrii discovered a concerning flaw in how the Telegram Android app had implemented self-destruction.
Because each instance of self-destruction takes at least 24 hours to run, Dmitrii’s tests spanned a few days.
“After only a few days… having shown diligence, I achieved what I was looking for: Messages that should be auto-deleted from participants in private and private group chats were only ‘deleted’ visually [in the messaging window], but in reality, picture messages remained on the device [in] the cache,” the researcher wrote in a roughly translated blog post published last week.
Tracked as CVE-2021-41861, the flaw is rather simple. In the Telegram Android app versions 7.5.0 to 7.8.0, self-destructed images remain on the device in the
/Storage/Emulated/0/Telegram/Telegram Image directory after approximately two to four uses of the self-destruct feature. But the UI appears to indicate to the user that the media was properly destroyed.
But for a simple bug like this, it wasn’t easy to get Telegram’s attention, Dmitrii explained. The researcher contacted Telegram in early March. And after a series of emails and text correspondence between the researcher and Telegram spanning months, the company reached out to Dmitrii in September, finally confirming the existence of the bug and collaborating with the researcher during beta testing. For his efforts, Dmitrii was offered a €1,000 ($1,159) bug bounty reward.
Although many companies with bug bounty programs offer monetary rewards to ethical hackers who identify and responsibly report vulnerabilities, disclosure of the security flaws is typically permitted after an agreed-upon period of 60 or 90 days.
“Having studied the contract sent by email by a Telegram representative, I drew attention to the fact that Telegram requires [me] not to disclose any details of cooperation/technical details by default without its written approval,” wrote Dmitrii, referring to the eight-page-long agreement the company provided the researcher.
Since then, the researcher claims he has been ghosted by Telegram, which has given no response and no reward. “I have not received the promised reward from Telegram in €1,000 or any other,” he wrote.
Interestingly, in 2019, a separate bug also relating to the self-destruct feature was reported by another researcher who walked away with a higher bug bounty—a €2,500 ($2,897) reward rather than a measly €1,000.
Telegram’s vulnerability reporting program, managed by HackerOne, is also unclear about the company’s responsible disclosure protocol. The document links further to a FAQ that mentions “bounties” and “Cracking Contests” organized by Telegram, but there is nothing about if or when security issues can be disclosed.
The latest version of the Telegram Android app released on September 22, as seen by Ars, is v8.1.2 on the Google Play Store, although the reported bug was likely patched in an earlier version. Regardless, Telegram users should update their app to the latest version to receive current and future security updates.
You must login or create an account to comment.
Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox.
WIRED Media Group
Your California Privacy Rights | Do Not Sell My Personal Information
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast.