Telegram patched one other picture self-destruction bug in its app earlier this 12 months. This flaw was a unique problem from the one reported in 2019. However the researcher who reported the bug is not happy with Telegram’s months-long turnaround time—and an supplied €1,000 ($1,159) bounty award in alternate for his silence.
Self-destructed pictures remained on the gadget
Like different messaging apps, Telegram permits senders to set communications to “self-destruct,” such that messages and any media attachments are routinely deleted from the gadget after a set time period. Such a function provides prolonged privateness to each the senders and the recipients intending to speak discreetly.
In February 2021, Telegram introduced a set of such auto-deletion options in its 2.6 launch:
- Set messages to auto-delete for everybody 24 hours or 7 days after sending
- Management auto-delete settings in any of your chats, in addition to in teams and channels the place you’re an admin
- To allow auto-delete, right-click on the chat within the chat listing > Clear Historical past > Allow Auto-Delete
However in a number of days, mononymous researcher Dmitrii found a regarding flaw in how the Telegram Android app had applied self-destruction.
As a result of every occasion of self-destruction takes not less than 24 hours to run, Dmitrii’s checks spanned a number of days.
“After only some days… having proven diligence, I achieved what I used to be searching for: Messages that needs to be auto-deleted from members in personal and personal group chats have been solely ‘deleted’ visually [in the messaging window], however in actuality, image messages remained on the gadget [in] the cache,” the researcher wrote in a roughly translated blog post printed final week.
Tracked as CVE-2021-41861, the flaw is slightly easy. Within the Telegram Android app variations 7.5.0 to 7.8.0, self-destructed pictures stay on the gadget within the
/Storage/Emulated/0/Telegram/Telegram Picture listing after roughly two to 4 makes use of of the self-destruct function. However the UI seems to point to the person that the media was correctly destroyed.
Telegram requests “confidentiality” in alternate for a bounty reward
However for a easy bug like this, it wasn’t simple to get Telegram’s consideration, Dmitrii defined. The researcher contacted Telegram in early March. And after a collection of emails and textual content correspondence between the researcher and Telegram spanning months, the corporate reached out to Dmitrii in September, lastly confirming the existence of the bug and collaborating with the researcher throughout beta testing. For his efforts, Dmitrii was supplied a €1,000 ($1,159) bug bounty reward.
Though many firms with bug bounty packages supply financial rewards to moral hackers who establish and responsibly report vulnerabilities, disclosure of the safety flaws is usually permitted after an agreed-upon interval of 60 or 90 days.
“Having studied the contract despatched by e mail by a Telegram consultant, I drew consideration to the truth that Telegram requires [me] to not disclose any particulars of cooperation/technical particulars by default with out its written approval,” wrote Dmitrii, referring to the eight-page-long agreement the corporate supplied the researcher.
Since then, the researcher claims he has been ghosted by Telegram, which has given no response and no reward. “I’ve not obtained the promised reward from Telegram in €1,000 or some other,” he wrote.
Apparently, in 2019, a separate bug additionally regarding the self-destruct function was reported by one other researcher who walked away with a better bug bounty—a €2,500 ($2,897) reward slightly than a measly €1,000.
Telegram’s vulnerability reporting program, managed by HackerOne, can be unclear in regards to the firm’s accountable disclosure protocol. The doc hyperlinks additional to a FAQ that mentions “bounties” and “Cracking Contests” organized by Telegram, however there may be nothing about if or when safety points could be disclosed.
The most recent model of the Telegram Android app launched on September 22, as seen by Ars, is v8.1.2 on the Google Play Store, though the reported bug was doubtless patched in an earlier model. Regardless, Telegram customers ought to replace their app to the most recent model to obtain present and future safety updates.
Ars reached out to Telegram for remark upfront, however we have not heard again.