There was a bug in the Telegram messenger for months, thanks to which “self-destructing” images continued to be stored even after they disappeared from the chat. This was told to the Internet community by a “white hacker” who at one time discovered the problem.
Like other instant messengers, Telegram has long had a function that allows you to automatically delete messages and any attached files after a specified period. In February 2021, Telegram announced the presence of relevant features in a new release. Auto-deletion can be performed 24 hours, a week or a month after sending the data.
To configure the corresponding functions, just open a chat, select “Clear history” and configure “Auto-delete messages in this chat”. User Dmitry found that in the Android version, messages from private and group chats disappeared only visually, while being saved in the cache.
According to the Ars Technica portal, the CVE-2021-41861 vulnerability is present in application versions from 7.5.0 to 7.8.0, messages and images are saved in the / Storage / Emulated / 0 / Telegram / Telegram Image directory at least for some time after the declared deletion. In this case, the program informs the user that the materials have been completely removed.
Dmitry tried to contact Telegram representatives in early March and after a series of letters and messages (the correspondence lasted for months), the company contacted him in September, confirming the existence of the bug. As a reward, Dmitry was offered 1000 euros.
Although many companies offer rewards for vulnerabilities discovered by white hackers, they are usually allowed to report them after 60-90 days, the period is negotiated individually.
An examination of the proposed contract, sent by email, showed that representatives of the messenger require the publication of any data on the vulnerability only with the written permission of Telegram. According to Dmitry, such conditions did not suit him. After that, the company began to ignore him, and he did not receive any award.
It is known that in 2019 for the discovery of a similar vulnerability, the researcher received 2,000 euros from Telegram, but it is not known for certain whether volunteers are required to sign any non-disclosure documents.
Now Google Play has a version of Telegram v8.1.2, and the bug seems to have been fixed in earlier releases of the messenger.