"Telegram for Mac Bug Lets You Save Self-Destructing Messages Forever"
Reegun Richard Jayapaul, Trustwave SpiderLabs' Lead Threat Architect, discovered new vulnerabilities that could allow users on Telegram for Mac to save specific self-destructing messages and attachments forever or view them without the sender knowing. When media files, other than attachments, are sent in a message, they are saved to a cache folder. Telegram will not download documents such as text, Doc, or PDF files, and audio and video until a recipient tries to open them, probably because of the larger size of attachments. When a recipient views the content, the self-destruct timer will begin, then when it is finished, the content will be deleted automatically. However, Reegun found that the self-destructing media was not deleted from the cache folder, thus allowing a user to save it to another location on their hard drive. Telegram fixed this bug for macOS in version 7.7 (215786) or later, but an additional bug has been discovered that allows self-destructible media to be saved. As voice recordings, video messages, images, and more are automatically downloaded to the cache, Reegun found that a user could copy the media from the cache folder before viewing it in the program. This article continues to discuss the Telegram for Mac flaw that allows self-destructing messages to be saved forever, Telegram's response to this new discovery, and a similar vulnerability found earlier this year.
Bleeping Computer reports "Telegram for Mac Bug Lets You Save Self-Destructing Messages Forever"