A recent update from the mobile messaging app Telegram fixed a potential privacy bug that allowed the recipient to view images after they are deleted by the sender.
Telegram introduced this feature in March that allows a sender to delete a message even after sending it and have it removed from all those who have received it. This privacy feature was an added advantage to users as it would help the sender remove the file or photo in case it was sent by accident.
Security researcher Dhiraj Mishra discovered the bug while he was researching Telegram’s MTProto protocol. He found that when a sender deleted a message/file from telegram it would be removed instantly from senders and recipient’s conversation but is still stored locally on the device.
This vulnerability is not only applicable to the individual conversations but also relevant with the supergroups, meaning, if a user sent a file unknowingly to a group and then deleted it thinking it would be no longer available to anyone, he was mistaken because any group member could access it within their device’s file system.
Telegram awarded the researcher a bug bounty price of €2,500 and the bug was fixed in the latest update version 5.11. The update has been released for both android and iOS users.