Telegram Bug Allows Recovery of “Unsent” Messages

Laura BednarCybersecurity and Vulnerabilities, In The NewsLeave a Comment

Telegram Bug Lets Users Save "Unsent" Photos

The mobile messaging app, Telegram, recently announced that a fix to a nettlesome bug had been published on September 5. Security researcher Dhiraj Mishra found the problem while investigating Telegram’s MTProto protocol.

The app has a feature that allows users to “unsend” messages that have been sent to others’ inboxes. This convenient mechanism allows users to retract messages that have been sent by mistake or to the wrong user. The feature has been available since 2017.

Contact Us Now

However, Mishra found that the cell phone app had a bug that allowed users to recover “unsent” messages. Unsent messages were still stored on the receiver’s phone, and although the text content of the Telegram message was deleted, any sent photos and videos could be recovered. This was true of large group messages as well as individual ones.

Uses of “Unsend” Features

Other messaging services like WhatsApp also have unsend features, but delete messages along with their content. Although it is not entirely clear how many of Telegram’s 100,000,000 users have been negatively affected by the bug, the possibility for error and abuse is clearly enormous. For instance, immigrants can be deported for undesirable content on their phones.

Imagine the following scenario. A man is coming home from a bar one night, slightly intoxicated. He has just lost a bet with a bar patron, resulting in his performing an embarrassing public display. He means to send the video of his performance to his friend, but his finger slips and he accidentally presses “Work Group,” sending the video to his entire 1,213-person company and all his previous employers.

As you can see from a scenario like this, having an option to delete a sent message is an increasing necessity in the information age, and a bug of the sort discovered here is a major liability. It has potentially career-damaging, relationship-ending, and otherwise life-changing consequences, under certain circumstances.

Unsend features are becoming more common, as services such as Facebook, Instagram, and Gmail have adopted their own versions. Given that the experience of digital accidents with undeletable sent messages has wrought havoc since the 1990s, it is perhaps surprising that such a feature was not designed sooner.

Protecting Your Mobile Device

Our team of examiners at SecureForensics have experience with mobile phone forensics to analyze digital devices if there has been suspicious activity. We perform our data recovery and examinations in certified Class 10 ISO 4 Cleanrooms and our examiners hold many security credentials. These include:

  • Cellebrite Physical Analyst Certified
  • IACIS Certified
  • X-Ways Certified and more.

If you are concerned about keeping your phone or your organization’s phone airtight, call 1-800-288-1407 for more information on our forensic services.