Researcher refuses Telegram’s bounty award, discloses auto-delete bug

Telegram patched one other picture self-destruction bug in its app earlier this yr. This flaw was a unique situation from the one reported in 2019. However the researcher who reported the bug is not happy with Telegram’s months-long turnaround time—and an provided $1,159 (€1,000) bounty award in alternate for his silence.

Self-destructed photographs remained on the system

Like different messaging apps, Telegram permits senders to set communications to “self-destruct,” such that messages and any media attachments are routinely deleted from the system after a set time frame. Such a characteristic affords prolonged privateness to each the senders and the recipients intending to speak discreetly.

In February 2021, Telegram introduced a set of such auto-deletion options in its 2.6 launch:

• Set messages to auto-delete for everybody 24 hours or 7 days after sending
• Management auto-delete settings in any of your chats, in addition to in teams and channels the place you might be an admin
• To allow auto-delete, right-click on the chat within the chat listing > Clear Historical past > Allow Auto-Delete

However in a number of days, mononymous researcher Dmitrii found a regarding flaw in how the Telegram Android app had carried out self-destruction.

As a result of every occasion of self-destruction takes at the least 24 hours to run, Dmitrii’s exams spanned a number of days.

“After only some days… having proven diligence, I achieved what I used to be in search of: Messages that needs to be auto-deleted from contributors in personal and personal group chats have been solely ‘deleted’ visually [in the messaging window], however in actuality, image messages remained on the system [in] the cache,” the researcher wrote in a roughly translated blog post revealed final week.

Tracked as CVE-2021-41861, the flaw is relatively easy. Within the Telegram Android app variations 7.5.0 to 7.8.0, self-destructed photographs stay on the system within the /Storage/Emulated/0/Telegram/Telegram Picture listing after roughly two to 4 makes use of of the self-destruct characteristic. However the UI seems to point to the consumer that the media was correctly destroyed.

Telegram requests “confidentiality” in alternate for a bounty reward

However for a easy bug like this, it wasn’t straightforward to get Telegram’s consideration, Dmitrii defined. The researcher contacted Telegram in early March. And after a collection of emails and textual content correspondence between the researcher and Telegram spanning months, the corporate reached out to Dmitrii in September, lastly confirming the existence of the bug and collaborating with the researcher throughout beta testing. For his efforts, Dmitrii was provided a $1,159 (€1,000) bug bounty reward.

Though many corporations with bug bounty applications supply financial rewards to moral hackers who establish and responsibly report vulnerabilities, disclosure of the safety flaws is usually permitted after an agreed-upon interval of 60 or 90 days.

“Having studied the contract despatched by e-mail by a Telegram consultant, I drew consideration to the truth that Telegram requires [me] to not disclose any particulars of cooperation/technical particulars by default with out its written approval,” wrote Dmitrii, referring to the eight-page-long agreement the corporate offered the researcher.

Since then, the researcher claims he has been ghosted by Telegram, which has given no response and no reward. “I’ve not obtained the promised reward from Telegram in €1,000 or every other,” he wrote.

Curiously, in 2019, a separate bug additionally regarding the self-destruct characteristic was reported by one other researcher who walked away with the next bug bounty—a $2,897 (€2,500) reward relatively than a measly $1,159.

Telegram’s vulnerability reporting program, managed by HackerOne, can also be unclear concerning the firm’s accountable disclosure protocol. The doc hyperlinks additional to a FAQ that mentions “bounties” and “Cracking Contests” organized by Telegram, however there may be nothing about if or when safety points will be disclosed.

The most recent model of the Telegram Android app launched on September 22, as seen by Ars, is v8.1.2 on the Google Play Store, though the reported bug was probably patched in an earlier model. Regardless, Telegram customers ought to replace their app to the newest model to obtain present and future safety updates.

Ars has reached out to Telegram for remark upfront, and we’re awaiting the corporate’s response.