#privacy: Telegram bug that improperly deleted messages is now fixed

The messaging app has now resolved a privacy issue which allowed users to recover images and videos that had been “unsent” by other users.

Telegram has a feature whereby users “unsend” sent messages from other people’s inboxes, however security researcher Dhiraj Mishra found that although Telegram had removed the messages from a user’s device, any images or videos that were sent were still stored on the user’s phone. 

Mishra had discovered the bug whilst researching Telegram’s MTProto protocol. The bug affects both the deletion of media from individual conversations but also when files are sent to a “supergroup”. 

“The highlighted issue is valid when we talk about Telegram “supergroups” as well, assume a case wherein you’re a part of a group with 2,000,00 members and you accidentally share a media file not meant to be shared in that particular group and proceed to delete, by checking “delete for all members” present in the group.

“You’re relying on a functionality that is broken since your file would still be present in storage for all users.”

Mishra was only able to verify the validity of the bug in Telegram for Androids however it can be assumed that the bug also exists on both the desktop and iOS versions as well. 

Mishra reported the bug and it is has now been fixed in version 5.11 for both Android and iOS.

It remains unknown if the privacy issue has impacted any users. 

Users have been strongly advised to install the latest update. However it is important to note that the release will most likely only fix the bug, therefore any prior deleted media that had not been properly deleted in the previous version will still be available on a user’s device.

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/