It took Telegram months to fix the "self-destruct" message. Then he asked for silence.
Earlier this year, Telegram patched other forms of image destruction in its app. This flaw was different from what was reported in 2019. But the investigators who reported the bugs were unhappy with Telegram's return a few months ago - and in exchange for its silence, a bounty of $1159 (€1,000) was offered. p>
Corrupted photos remain on the device h2>
Like other messaging apps, Telegram allows senders to set communications to "self-destruct" so that messages and any attachments are automatically deleted after the device. A time-limited period provides such an advantage for senders and receivers who intend to communicate anonymously, with greater privacy.
In February 2021, Telegram introduced a set of auto-deletion features in version 2.6:Set messages to auto-delete 24 hours or 7 days after sending control settings, auto-delete in all your conversations, as well as In the groups and channels you manage to enable automatic deletion, in the chat in the chat menu > clear history > enable automatic deletion
But within a few days, anonymous researcher Dmitriy discovered a disturbing flaw in how to run the automatic Telegram Android app.
Since each self-administration sample lasted at least 24 hours, measurement tests took several days.
"After just a few days...with effort and effort, I got what I wanted: messages that should be automatically deleted from participants in private and private group chats only visually" in the message "w" deleted inside], But in reality, the video messages on the device [in] memory are hidden. "It's relatively simple. In Telegram versions from Android 7.5.0 to 7.8.0, self-destructing photos are listed on device / Storage / Emulated / 0 / Telegram / Telegram Image after using the self-destruct feature approximately four times. They remain, but it seems That the user interface indicates that the media has been deleted correctly.But for a minor problem like this, Dimitri explained that it wasn't easy to get Telegram's attention, the researcher contacted Telegram in early March, and after a series of emails and text messages between the researcher and Telegram in In recent months, the company contacted Dmitry in September, finally confirmed its existence and collaborated with the researcher during the beta test, for which Dmitriy received a cash bonus of $1100 (€1,000).
Although many companies offer bonuses Financial For ethical hackers who identify and report vulnerabilities responsibly through bug bounty programs, detection of security breaches is usually permitted after an agreed period of 60 or 90 days.
“While studying the contract sent by a Telegram representative via mail. Mail, attracted to The fact that Telegram asks me not to disclose any cooperation/technical details by default without written confirmation,” wrote Dmitry, referring to the eight-page agreement that the company provided to the researcher.Telegram Bug Rewards Agreement.
Since then, the researcher claims that the telegram is chasing him, and has given him no response nor reward. "I did not receive the bonus that Telegram promised me in the amount of 1,000 euros or any other amount," he wrote. Interestingly, in 2019, another researcher reported a separate bug related to the feature of this feature, in which he received a higher prize - a bonus of $2,897 (€2,500) instead of $1,159.
Telegram's vulnerability report, which is run by HackerOne, is also not clear about the company's responsible disclosure protocol. The document links to frequently asked questions about "bonuses" and "gap contests" organized by Telegram, but does not say if or when the security issues can be revealed.
The latest Telegram Android app released on September 22nd, as seen by Ars, is version 8.1.2 on the Google Play Store, although the bug reported in the previous version may have been fixed. Regardless, Telegram users will need to update their app to the latest version to receive current and future security updates.
Read more Telegram feature shows your exact address to hackers. We are waiting for the company's response.
A researcher refuses to receive the Telegram award and reveals the forms of automatic deletion
At least since 2019, popular YouTube channels have been tak...
Britain's COVID Pass card system was suspended for hours o...
Several Visible Wireless subscribers reported having their accounts ...
This is the story of the mastermind behind one of the largest "fake news" op...
Twitch's live video streaming service has been hacked and 125GB...