Researcher refuses Telegram’s bounty award, discloses auto-delete bug

Researcher refuses Telegram’s bounty award, discloses auto-delete bugreader comments

55 with 47 posters participating

Telegram patched another image self-destruction bug in its app earlier this year. This flaw was a different issue from the one reported in 2019. But the researcher who reported the bug isn’t pleased with Telegram’s months-long turnaround time—and an offered €1,000 ($1,159) bounty award in exchange for his silence.

Self-destructed images remained on the device

Like other messaging apps, Telegram allows senders to set communications to “self-destruct,” such that messages and any media attachments are automatically deleted from the device after a set period of time. Such a feature offers extended privacy to both the senders and the recipients intending to communicate discreetly.

In February 2021, Telegram introduced a set of such auto-deletion features in its 2.6 release:

  • Set messages to auto-delete for everyone 24 hours or 7 days after sending
  • Control auto-delete settings in any of your chats, as well as in groups and channels where you are an admin
  • To enable auto-delete, right-click on the chat in the chat list > Clear History > Enable Auto-Delete

But in a few days, mononymous researcher Dmitrii discovered a concerning flaw in how the Telegram Android app had implemented self-destruction.

Because each instance of self-destruction takes at least 24 hours to run, Dmitrii’s tests spanned a few days.

“After only a few days… having shown diligence, I achieved what I was looking for: Messages that should be auto-deleted from participants in private and private group chats were only ‘deleted’ visually [in the messaging window], but in reality, picture messages remained on the device [in] the cache,” the researcher wrote in a roughly translated blog post published last week.

Tracked as CVE-2021-41861, the flaw is rather simple. In the Telegram Android app versions 7.5.0 to 7.8.0, self-destructed images remain on the device in the /Storage/Emulated/0/Telegram/Telegram Image directory after approximately two to four uses of the self-destruct feature. But the UI appears to indicate to the user that the media was properly destroyed.

agreement the company provided the researcher.

Telegram’s bug bounty reward agreement.

Since then, the researcher claims he has been ghosted by Telegram, which has given no response and no reward. “I have not received the promised reward from Telegram in €1,000 or any other,” he wrote.

Interestingly, in 2019, a separate bug also relating to the self-destruct feature was reported by another researcher who walked away with a higher bug bounty—a €2,500 ($2,897) reward rather than a measly €1,000.

Telegram’s vulnerability reporting program, managed by HackerOne, is also unclear about the company’s responsible disclosure protocol. The document links further to a FAQ that mentions “bounties” and “Cracking Contests” organized by Telegram, but there is nothing about if or when security issues can be disclosed.

The latest version of the Telegram Android app released on September 22, as seen by Ars, is v8.1.2 on the Google Play Store, although the reported bug was likely patched in an earlier version. Regardless, Telegram users should update their app to the latest version to receive current and future security updates.

Ars reached out to Telegram for comment in advance, but we haven’t heard back.

Article Tags:
Article Categories: