Telegram patched another image self-destruction bug in its app earlier this year. This flaw was a different issue from the one reported in 2019. But the researcher who reported the bug isn’t pleased with Telegram’s months-long turnaround time—and an offered $1,159 (€1,000) bounty award in exchange for his silence.
Self-destructed images remained on the device
Like other messaging apps, Telegram allows senders to set communications to “self-destruct,” such that messages and any media attachments are automatically deleted from the device after a set period of time. Such a feature offers extended privacy to both the senders and the recipients intending to communicate discreetly.
In February 2021, Telegram introduced a set of such auto-deletion features in its 2.6 release:
- Set messages to auto-delete for everyone 24 hours or 7 days after sending
- Control auto-delete settings in any of your chats, as well as in groups and channels where you are an admin
- To enable auto-delete, right-click on the chat in the chat list > Clear History > Enable Auto-Delete
But in a few days, mononymous researcher Dmitrii discovered a concerning flaw in how the Telegram Android app had implemented self-destruction.
Because each instance of self-destruction takes at least 24 hours to run, Dmitrii’s tests spanned a few days.
“After only a few days… having shown diligence, I achieved what I was looking for: Messages that should be auto-deleted from participants in private and private group chats were only ‘deleted’ visually [in the messaging window], but in reality, picture messages remained on the device [in] the cache,” the researcher wrote in a roughly translated blog post published last week.
Tracked as CVE-2021-41861, the flaw is rather simple. In the Telegram Android app versions 7.5.0 to 7.8.0, self-destructed images remain on the device in the
/Storage/Emulated/0/Telegram/Telegram Image directory after approximately two to four uses of the self-destruct feature. But the UI appears to indicate to the user that the media was properly destroyed.
Telegram requests “confidentiality” in exchange for a bounty reward
But for a simple bug like this, it wasn’t easy to get Telegram’s attention, Dmitrii explained. The researcher contacted Telegram in early March. And after a series of emails and text correspondence between the researcher and Telegram spanning months, the company reached out to Dmitrii in September, finally confirming the existence of the bug and collaborating with the researcher during beta testing. For his efforts, Dmitrii was offered a $1,159 (€1,000) bug bounty reward.
Although many companies with bug bounty programs offer monetary rewards to ethical hackers who identify and responsibly report vulnerabilities, disclosure of the security flaws is typically permitted after an agreed-upon period of 60 or 90 days.
“Having studied the contract sent by email by a Telegram representative, I drew attention to the fact that Telegram requires [me] not to disclose any details of cooperation/technical details by default without its written approval,” wrote Dmitrii, referring to the eight-page-long agreement the company provided the researcher.
Since then, the researcher claims he has been ghosted by Telegram, which has given no response and no reward. “I have not received the promised reward from Telegram in €1,000 or any other,” he wrote.
Interestingly, in 2019, a separate bug also relating to the self-destruct feature was reported by another researcher who walked away with a higher bug bounty—a $2,897 (€2,500) reward rather than a measly $1,159.
Telegram’s vulnerability reporting program, managed by HackerOne, is also unclear about the company’s responsible disclosure protocol. The document links further to a FAQ that mentions “bounties” and “Cracking Contests” organized by Telegram, but there is nothing about if or when security issues can be disclosed.
The latest version of the Telegram Android app released on September 22, as seen by Ars, is v8.1.2 on the Google Play Store, although the reported bug was likely patched in an earlier version. Regardless, Telegram users should update their app to the latest version to receive current and future security updates.
Ars has reached out to Telegram for comment in advance, and we are awaiting the company’s response.