Telegram Desktop Stores Chats Unencrypted: Security Concerns Explained

By Ava McKinneyOnline Safety

Telegram Desktop Stores Chats in Unencrypted Form

Last week, we wrote about several issues that security experts discovered in the desktop versions of the Signal messenger. One of the vulnerabilities was pointed out by researcher Nathaniel Suchy. It turned out that during installation, Signal Desktop creates an encrypted SQLite database (db.sqlite) where it stores user messages. The encryption key for this database is generated automatically by the messenger, without any user interaction. This key is stored locally in plain text: on Windows, it can be found in %AppData%\Signal\config.json, and on Mac in ~/Library/Application Support/Signal/config.json. As a result, it’s possible to “crack” the database and access messages with little effort.

Now, BleepingComputer reports that Suchy decided to check the security of the Telegram desktop client and found a very similar problem. Telegram Desktop also stores user chats in a local database, and these chats are just as accessible because they are not protected in any way.

Suchy told reporters that reading the contents of the SQLite database might be a bit tricky (see illustrations below), but the database is unencrypted. Additionally, the database contains names and phone numbers linked together. Most concerning, according to the researcher, is that even messages from “secret chats” end up in this unprotected database.

Media Files Also Unprotected

A similar situation is observed with media files. Suchy writes that it was enough to simply change the file extension to be able to view images.

No Response from Telegram Developers

Although the researcher and BleepingComputer representatives have already tried to contact the Telegram developers, there has been no response or comment from them so far.

Update: Durov Responds

In a Russian-language Telegram channel, Pavel Durov posted a rebuttal to the researcher’s claims. Durov argues that Suchy’s finding cannot be considered a vulnerability, since exploiting the bug assumes that the attacker already has access to the victim’s computer.

It’s worth noting that when talking about “real threats,” Durov refers to a publication about a bug in WhatsApp.

Leave a Reply