That Telegram feature that let you delete your private messages on recipients' phones? It didn't work properly

That Telegram feature that let you delete your private messages on recipients' phones? It didn't work properly

Infosec bod bags reward for spotting image privacy bug


VIdeo Telegram has fixed a bug that broke one of its chat app's key privacy features: the ability to fully delete your sensitive messages on recipients' phones.


The software claimed it could effectively recall messages you sent to your friends: recalled chats were said to be deleted from their devices.


However, bug-bounty hunter Dhiraj Mishra told The Register today that while the text content of messages would be removed, any attached images would inadvertently remain on the handset.


And while it's fair to assume that, generally speaking, once you send data to someone on the internet, that information is effectively out of your hands and virtually impossible to recall, bear in mind this remote-delete mechanism is a feature of Telegram, and was expected to worked.


"Assume a scenario where Bob sends a message which is a confidential image and was mistakenly sent to Alice, Bob proceeds to utilize a feature of Telegram known as 'Also delete for Alice' which would essentially delete the message for Alice," Mishra, who found the bug and privately reported it to Telegram, explained.


"Apparently, this feature does not work as intended, as Alice would still be able to see the image stored under `/Telegram/Telegram Images/` folder, concluding that the feature only deletes the image from the chat window."


Below is a video demonstrating the programming oversight:


Youtube Video


"I have tried this with the latest stable version (5.10.0 (1684)) of Telegram for Android," Mishra added. "I haven't tried this with Telegram for iOS and Telegram for ..