Telegram patched one other picture self-destruction bug in its app earlier this 12 months. This flaw was a unique challenge from the one reported in 2019. However the researcher who reported the bug is not happy with Telegram’s months-long turnaround time—and an provided €1,000 ($1,159) bounty award in alternate for his silence.
Self-destructed photos remained on the system
Like different messaging apps, Telegram permits senders to set communications to “self-destruct,” such that messages and any media attachments are routinely deleted from the system after a set time frame. Such a characteristic presents prolonged privateness to each the senders and the recipients intending to speak discreetly.
In February 2021, Telegram introduced a set of such auto-deletion options in its 2.6 launch:
- Set messages to auto-delete for everybody 24 hours or 7 days after sending
- Management auto-delete settings in any of your chats, in addition to in teams and channels the place you might be an admin
- To allow auto-delete, right-click on the chat within the chat checklist > Clear Historical past > Allow Auto-Delete
However in a couple of days, mononymous researcher Dmitrii found a regarding flaw in how the Telegram Android app had carried out self-destruction.
As a result of every occasion of self-destruction takes at the very least 24 hours to run, Dmitrii’s assessments spanned a couple of days.
“After just a few days… having proven diligence, I achieved what I used to be on the lookout for: Messages that ought to be auto-deleted from members in personal and personal group chats have been solely ‘deleted’ visually [in the messaging window], however in actuality, image messages remained on the system [in] the cache,” the researcher wrote in a roughly translated blog post printed final week.
Tracked as CVE-2021-41861, the flaw is somewhat easy. Within the Telegram Android app variations 7.5.0 to 7.8.0, self-destructed photos stay on the system within the
/Storage/Emulated/0/Telegram/Telegram Picture listing after roughly two to 4 makes use of of the self-destruct characteristic. However the UI seems to point to the consumer that the media was correctly destroyed.
Telegram requests “confidentiality” in alternate for a bounty reward
However for a easy bug like this, it wasn’t simple to get Telegram’s consideration, Dmitrii defined. The researcher contacted Telegram in early March. And after a collection of emails and textual content correspondence between the researcher and Telegram spanning months, the corporate reached out to Dmitrii in September, lastly confirming the existence of the bug and collaborating with the researcher throughout beta testing. For his efforts, Dmitrii was provided a €1,000 ($1,159) bug bounty reward.
Though many corporations with bug bounty applications supply financial rewards to moral hackers who determine and responsibly report vulnerabilities, disclosure of the safety flaws is often permitted after an agreed-upon interval of 60 or 90 days.
“Having studied the contract despatched by electronic mail by a Telegram consultant, I drew consideration to the truth that Telegram requires [me] to not disclose any particulars of cooperation/technical particulars by default with out its written approval,” wrote Dmitrii, referring to the eight-page-long agreement the corporate offered the researcher.
Since then, the researcher claims he has been ghosted by Telegram, which has given no response and no reward. “I’ve not obtained the promised reward from Telegram in €1,000 or every other,” he wrote.
Curiously, in 2019, a separate bug additionally referring to the self-destruct characteristic was reported by one other researcher who walked away with a better bug bounty—a €2,500 ($2,897) reward somewhat than a measly €1,000.
Telegram’s vulnerability reporting program, managed by HackerOne, can be unclear in regards to the firm’s accountable disclosure protocol. The doc hyperlinks additional to a FAQ that mentions “bounties” and “Cracking Contests” organized by Telegram, however there’s nothing about if or when safety points could be disclosed.
The newest model of the Telegram Android app launched on September 22, as seen by Ars, is v8.1.2 on the Google Play Store, though the reported bug was possible patched in an earlier model. Regardless, Telegram customers ought to replace their app to the newest model to obtain present and future safety updates.
Ars reached out to Telegram for remark prematurely, however we have not heard again.