Telegram developers have fixed a bug due to which self-destructing audio and video were not removed from devices running macOS.
Let me remind you that in the secret chat mode, you cannot forward messages to other users, and it is also possible to configure automatic self-destruction of all messages and multimedia after a certain time.
Independent information security specialist Dhiraj Mishra discovered that in Telegram version 7.3, self-destructing messages were not completely deleted from the recipient’s device.
So, the expert noticed that on macOS standard chats escape the sandbox path, where all received video and audio files are stored. Although this path works in secret chats, the received media files are still stored there, even if the messages in the chat itself have already destructed themselves, as they should have.
Additionally, Mishra discovered that Telegram was storing local access codes to unlock the app in plain text format. They were saved in the Users/[username]/Library/GroupContainers/6N38VWS5BX.ru.keepcoder.Telegram/accounts-metadata folder as JSON files.
The researcher discovered both problems at the end of December 2020, and they were fixed with the release of Telegram 7.4. Mishra received a reward of $3,000 for reporting both errors.
Let me remind you that I also reported that a researcher discovered vulnerability in Telegram, which allows to locate user.