HYDERABAD: A security flaw has been reported in Telegram, a WhatsApp-like messaging app, which is preferred by VIPs and cybersecurity aficionados for its high-end security features. Ironically, the vulnerability has been reported in its secret messaging feature which allows a user to delete all traces of a chat.The bug in this functionality allows photos taken and shared on secret chats to be left behind even after they are deleted. “These photos will be stored in the device and accessible to all applications installed on the Android device,” researchers of Cisco Talos said in its vulnerability report.
Telegram, which was released in 2013, has soon turned into a preferred mode for politicians, internal communication of political parties, and other cybersecurity enthusiasts who are wary of Facebook-controlled WhatsApp. Recently, BJP, in a run-up to 2019 elections has added Telegram to its social-media kitty for propagating party-related information.
Unlike other vulnerabilities, the problem with the Telegram flaw lies in its source code. As of now, when a user gives the command to take a picture on Telegram, the messaging app uses a third-party app -- for instance Google Camera -- to take the photo. When that happens, the third-party camera application would save the photo in its directory on Android, apart from saving another photo in the Telegram directory. So when, the secret chat feature deletes the information on the app, the photos remain in the third-party camera’s directory.
For avoiding the issue, the researcher recommended Telegram to use its own photo-taking code. “This way the application can ensure that the photo data is not saved by a third party application,” report said. Earlier, it had found that Telegram including a few other messaging services, was vulnerable to side-channel attacks by hackers and that its desktop version was susceptible to getting hijacked.