Researcher denies Telegram bounty, reveals automatic removal bug
Telegram fixed another self-destructing bug in its app earlier this year. This defect was a different problem than that reported in 2019. But the researcher who reported the bug is not happy with Telegram’s months-long turnaround time and a $ 1,159 (€ 1,000) bounty offered in return for its silence.
Self-destructed images remained on the device
Like other messaging apps, Telegram allows senders to set communications to ‘self-destruct’ so that messages and all multimedia attachments are automatically deleted from the device after a set period of time. Such a feature provides extended privacy to both senders and recipients intending to communicate discreetly.
In February 2021, Telegram introduced a set of automatic deletion features in version 2.6:
- Set messages to automatically delete for everyone 24 hours or 7 days after sending
- Control automatic deletion settings in any of your chats, as well as in groups and channels where you are an administrator
- To activate automatic deletion, right click on the chat in the list of chats> Clear history> Activate automatic deletion
But within days, anonymous researcher Dmitrii discovered a disturbing flaw in the way the Telegram Android app had implemented self-destruct.
Since each self-destruct instance takes at least 24 hours, Dmitrii’s tests lasted for a few days.
“After just a few days… after diligently, I got what I was looking for: messages that should be automatically deleted from private and private group chat participants were only ‘removed’ visually. [in the messaging window], but in reality the picture messages remained on the device [in] the cache, ”the researcher wrote in a roughly translated version. blog post published last week.
Tracked as CVE-2021-41861, the flaw is pretty straightforward. In Telegram Android app versions 7.5.0 to 7.8.0, the self-destructing images remain on the device in the
/Storage/Emulated/0/Telegram/Telegram Image directory after about two to four uses of the self-destruct feature. But the UI seems to tell the user that the media has been properly destroyed.
Telegram asks for “confidentiality” in exchange for a bounty
But for a simple bug like this, it wasn’t easy to get Telegram’s attention, Dmitrii explained. The researcher contacted Telegram in early March. And after a series of emails and textual correspondence between the researcher and Telegram for months, the company contacted Dmitrii in September, finally confirming the existence of the bug and working with the researcher on beta testing. For his efforts, Dmitrii was offered a bug bounty reward of $ 1,159 (€ 1,000).
While many companies with bug bounty programs offer monetary rewards to ethical hackers who responsibly identify and report vulnerabilities, disclosure of security breaches is usually allowed after an agreed-upon period of 60 or 90 days.
“After studying the contract emailed by a Telegram representative, I drew attention to the fact that Telegram requires [me] not to disclose any cooperation details / technical details by default without his written approval, “Dmitrii wrote, referring to the eight-page document agreement the company provided the researcher.
Since then, the researcher claims to have been ghosted by Telegram, which has given no response and no reward. “I did not receive the promised reward from Telegram in € 1,000 or whatever,” he wrote.
Interestingly, in 2019 a separate bug also related to the self-destruct feature was reported by another researcher who came away with a higher bug bounty – a reward of $ 2,897 (€ 2,500) rather than a measly $ 1,159.
Telegram Vulnerability Reports program, run by HackerOne, is also unclear on the company’s responsible disclosure protocol. The document refers to an FAQ which mention “Bounties” and “Cracking Contests” run by Telegram, but there is no indication if or when security issues can be disclosed.
The latest version of the Android Telegram app released on September 22, seen by Ars, is v8.1.2 on the Google Play Store, although the reported bug was probably fixed in an earlier version. Either way, Telegram users need to update their app to the latest version to receive current and future security updates.
Ars has reached out to Telegram for comment in advance, and we are awaiting the company’s response.