Telegram Vulnerability Allowed Viewing of Deleted Images

A new version (5.11) of the mobile client for the cross-platform messenger Telegram has been released, fixing a vulnerability that allowed recipients to view images or files even after they were deleted by the sender.

In March, Telegram introduced a new feature that lets users delete sent messages from all recipient devices. This was added as an extra layer of privacy in case a file, image, or message was sent by mistake, or if the sender later decided to remove it.

Security researcher Dhiraj Mishra discovered a flaw in the Telegram MTProto protocol related to the message deletion feature. When a sender deletes a message, image, or file from Telegram, it is removed from both the sender’s and recipient’s chat windows, but it still remains on the device. In this case, Android users could still access and view deleted files.

The vulnerability affected not only the deletion of multimedia files from individual chats, but also the sending of files to Telegram supergroups. If a user accidentally sent a file to a group and then deleted it, every group member could still access it from their device’s file system. Mishra tested the vulnerability only on the Android version of Telegram, but believes the issue may also affect the iOS release.

After reporting the bug, Telegram rewarded the researcher with a €2,500 bounty.

The researcher published a video demonstrating how the vulnerability could be exploited.