Imagine this: you’re at a party one Saturday night and, at 1 a.m. decide to send your best pal a picture of yourself doing a headstand wearing nothing but a pink tutu, slamming a litre of Smithwick’s finest from a beer bong.
Unfortunately, your best pal’s name is Sue, which also happens to be your boss’s name, and you selected the wrong contact. Ruh-roh. That’s a quick way to sober up.
Luckily, you sent the photo using Telegram Messenger, and you remember that it lets you delete entire messages and the pictures they contain both from yours and the recipient’s phone. Sue was probably asleep, so you can quickly wipe the message and no one will be any the wiser.
Phew, no harm done. Except for one important fact: it turns out that ‘unsend’ feature didn’t work properly.
Telegram introduced its ‘unsend message‘ feature in version 3.16 back in 2017. It’s another feature in an app that has attracted privacy advocates everywhere for its ability to cloak communications, but security researcher Dhiraj Mishra has uncovered a flaw.
The Android version of Telegram stores any images received in the
/Telegram/Telegram Images/ folder. When deleting a message, you’d expect it to delete the image as well. In fact, it left the picture intact in the folder. The recipient would have to know to look there, of course, but if they checked, they’d be able to see you in all your tutu-sporting, beer-bonging glory. Bang goes your promotion.
Telegram’s unsend message function also works with messages sent to groups. That’s great for mistakes where you accidentally send a file to multiple participants, but unfortunately, the same bug exists there too. He said:
Assume a case wherein you’re a part of a group with 200,000 members and you accidentally share a media file not meant to be shared in that particular group and proceed to delete, by checking “delete for all members” present in the group. You’re relying on a functionality that is broken since your file would still be present in storage for all users.
Here’s a demo of the bug in action:
Mishra didn’t test the iOS or desktop versions of Telegram, but assumed it would work on other platforms. It’s a moot point for people that upgrade their Telegram app because the company fixed the bug in version 5.11. It also awarded him €2,500.