Researcher refuses Telegram’s bounty award, discloses auto-delete bug

Telegram patched one other picture self-destruction bug in its app earlier this 12 months. This flaw was a special concern from the one reported in 2019. However the researcher who reported the bug is not happy with Telegram’s months-long turnaround time—and an supplied €1,000 ($1,159) bounty award in alternate for his silence.

Self-destructed pictures remained on the machine

Like different messaging apps, Telegram permits senders to set communications to “self-destruct,” such that messages and any media attachments are mechanically deleted from the machine after a set time frame. Such a function provides prolonged privateness to each the senders and the recipients intending to speak discreetly.

In February 2021, Telegram launched a set of such auto-deletion options in its 2.6 launch:

  • Set messages to auto-delete for everybody 24 hours or 7 days after sending
  • Management auto-delete settings in any of your chats, in addition to in teams and channels the place you’re an admin
  • To allow auto-delete, right-click on the chat within the chat checklist > Clear Historical past > Allow Auto-Delete

However in a number of days, mononymous researcher Dmitrii found a regarding flaw in how the Telegram Android app had applied self-destruction.

As a result of every occasion of self-destruction takes a minimum of 24 hours to run, Dmitrii’s checks spanned a number of days.

“After just a few days… having proven diligence, I achieved what I used to be on the lookout for: Messages that ought to be auto-deleted from contributors in personal and personal group chats had been solely ‘deleted’ visually [in the messaging window], however in actuality, image messages remained on the machine [in] the cache,” the researcher wrote in a roughly translated weblog submit revealed final week.

Tracked as CVE-2021-41861, the flaw is slightly easy. Within the Telegram Android app variations 7.5.0 to 7.8.0, self-destructed pictures stay on the machine within the /Storage/Emulated/0/Telegram/Telegram Picture listing after roughly two to 4 makes use of of the self-destruct function. However the UI seems to point to the person that the media was correctly destroyed.

Telegram requests “confidentiality” in alternate for a bounty reward

However for a easy bug like this, it wasn’t simple to get Telegram’s consideration, Dmitrii defined. The researcher contacted Telegram in early March. And after a collection of emails and textual content correspondence between the researcher and Telegram spanning months, the corporate reached out to Dmitrii in September, lastly confirming the existence of the bug and collaborating with the researcher throughout beta testing. For his efforts, Dmitrii was supplied a €1,000 ($1,159) bug bounty reward.

Though many firms with bug bounty applications supply financial rewards to moral hackers who establish and responsibly report vulnerabilities, disclosure of the safety flaws is usually permitted after an agreed-upon interval of 60 or 90 days.

“Having studied the contract despatched by electronic mail by a Telegram consultant, I drew consideration to the truth that Telegram requires [me] to not disclose any particulars of cooperation/technical particulars by default with out its written approval,” wrote Dmitrii, referring to the eight-page-long settlement the corporate offered the researcher.

Telegram’s bug bounty reward settlement.

Since then, the researcher claims he has been ghosted by Telegram, which has given no response and no reward. “I’ve not obtained the promised reward from Telegram in €1,000 or another,” he wrote.

Curiously, in 2019, a separate bug additionally regarding the self-destruct function was reported by one other researcher who walked away with a better bug bounty—a €2,500 ($2,897) reward slightly than a measly €1,000.

Telegram’s vulnerability reporting program, managed by HackerOne, can be unclear concerning the firm’s accountable disclosure protocol. The doc hyperlinks additional to a FAQ that mentions “bounties” and “Cracking Contests” organized by Telegram, however there’s nothing about if or when safety points could be disclosed.

The newest model of the Telegram Android app launched on September 22, as seen by Ars, is v8.1.2 on the Google Play Retailer, though the reported bug was doubtless patched in an earlier model. Regardless, Telegram customers ought to replace their app to the newest model to obtain present and future safety updates.

Ars reached out to Telegram for remark prematurely, however we have not heard again.

Source link