The desktop variant for Telegram secure messaging app fails to protect chat content locally and offers access to plain text conversations and media that otherwise travel encrypted.
Telegram’s focus on providing secure communication is well known. The app uses encryption to ensure that a third party cannot read the conversations on their way to the destination.
A feature called ‘secret chats’ is available for those that want complete privacy for their communication, by using end-to-end encryption to guarantee that only the sender and the receiver can access the contents.
These precautions are against tampering or breaking privacy in transit; the conversations and media files Telegram Desktop stores locally are fairly easy to access and read because they are not encrypted.
Nathaniel Suchy was able to read the app's database and the messages saved there. In a conversation with BleepingComputer Suchy said that Telegram uses “a somewhat difficult to read, but otherwise, not encrypted, SQLite Database to store messages.”
By analyzing raw data converted to a simpler viewing format, Suchy also found names and phone numbers that could be correlated to one another. Even so, the information is not easy to read, but custom scripts could help make the details stand out in a more intelligible way and automate the extraction.
Telegram does not encrypt its SQLite database and leaves the messages lying in plain text on the system. The same happens with Signal, a discovery also credited to Suchy.
Telegram Desktop features password protection to prevent unauthorized access to the app, but this security option does not add encryption. A tech-savvy overly curious computer user could still read your chats.
The researcher tested the ‘secret chat’ feature, too. It turns out that all the messages go to the same database, whether they benefit from end-to-end encryption or not.
Media files have no different fate. Obfuscation seems to be the only protection against extracting them. Suchy was able to change the extension type to a picture in order to view it.
Saving data locally in plain text is not something to expect from a secure messaging app. When French hacker and entrepreneur Matt Suiche first discovered this behavior with Signal he couldn’t believe it.
Joshua Lund, Community and Support Manager at Signal, says that at-rest encryption is not something that the desktop variant of the app tries to provide. The same argument stands for Telegram; both apps aim to offer communications that cannot be eavesdropped, and they do achieve this. Even so, it is odd that encryption does not extend to the local environment.
Protecting the data saved locally is possible by enabling full disk encryption from the operating system. This is available on Windows through BitLocker, on macOS through FileVault; the feature is present on Linux as well, some big-name distributions making it available during the installation routine.
BleepingComputer tried to contact the Telegram team for comments but received no reply at the time of publishing.
Update 10/31/18: This issue is affecting the Telegram for macOS version only.
Comments
Throwdown - 4 months ago
How is this a thing with 2 different security focused developers doing the same stupid crap? At what point does one become so lazy and not give any thought to how this circumvents security?
Aokromes - 4 months ago
telegram desktop doesn't uses sqlite, you are mixing products, the one with the security weakness is telegram for macos.
https://macos.telegram.org/
johnpreston - 4 months ago
You're misleading your readers. The app named Telegram Desktop (Windows, macOS, Linux) does not use sqlite, does not store messages on your drive and encrypts everything with your local passcode. You write about a native app for macOS called just Telegram.
You even give the right link (https://desktop.telegram.org) to the application that has nothing to do with the screenshots that you post after that. It's a shame you don't check the information that is posted.
freedomprivacy - 4 months ago
Hello,
I contact you to suggest you to modify the article
Telegram desktop for any operating system is not affected by this problem for two reasons:
1) It does not maintain a db of the data, but loads the same data from the cloud at startup and deletes them every time it is closed.
2) Data is encrypted https://github.com/telegramdesktop/tdesktop/blob/dev/Telegram/SourceFiles/storage/localstorage.cpp
The only vulnerable application is the native macOS application https://macos.telegram.org/
Greetings