Club Benefits
You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Daily (Mon-Sun)
Tom's Guide Daily
Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.
Weekly on Thursday
Tom's AI Guide
Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!
Weekly on Friday
Tom's iGuide
Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.
Weekly on Monday
Tom's Streaming Guide
Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
A hidden flaw in the Telegram secure-messaging service could expose user passwords, a researcher found. The service may also expose media files from self-destructing messages.
Dhiraj Mishra, a security consultant working in Dubai, revealed in a blog post yesterday (Feb. 11) that the Mac desktop client for Telegram indefinitely preserved audio and video files from self-destructing messages.
- Telegram: What it is and how to use it
- The best encrypted messaging apps
- Plus: Anyone can hack your Mac unless you patch it now — here's how
He did some more poking around and found that the Mac Telegram client also stored user passwords in plain text. Neither of these security lapses is a good thing. Malware or a crafty intruder could have found both sets of files.
"Telegram fails again in terms of handling the user's data," Mishra wrote in his blog post, sarcastically titled "The 'P' in Telegram Stands for Privacy."
The Mac client appropriately deleted self-destructing messages, Mishra wrote. But if any video or audio files were attached to those messages, those files could still be found buried deep in the Mac's filesystem. Anyone, or anything, that knew where to look could find them.
Passwords were written in plain text in the user's Telegram metadata, where it also could have been found by attackers.
Mishra told Bleeping Computer that he reported the flaws to Telegram in December and received a 3,000-euro bug bounty for his trouble.
Telegram fixed both flaws with the 7.4 update in late January. If you're using Telegram on a Mac, make sure your client software is up-to-date.
Telegram has seen a spike in new users recently, after a privacy-permissions change at WhatsApp prompted an exodus from the Facebook-owned service.
Many security professionals aren't convinced that Telegram is very safe to use for highly sensitive communications. They instead recommend the Signal service, which uses the same encryption as WhatsApp.
Mishra ended his blog with a clear indication of where he stands on the issue, embedding Elon Musk's now-famous tweet to "Use Signal." (Here's how.)
