Secure messaging app Telegram leaks anything pasted in to it

Telegram App

Security researcher Kirill Firsov found a data leak in the popular messaging app Telegram. In the OS X version, text that was copied-and-pasted into the app was also written to the file /var/log/system.log, better known as the syslog, creating a sort of ad-hoc and unnoticed backup of any private conversations or notes.

Telegram was created specifically to be a secure messenger – one of many that has appeared on the market recently – and describes itself as the “more secure alternative” to common messaging apps like WhatsApp.

Macs keep their system logs for seven days but an attacker would normally need physical access to a machine to read them. In corporate environments system, however, log messages are sometimes forwarded to a dedicated logging server, which would create a copy of the text beyond the user’s control as well as opportunities for it to be snooped on-the-wire.

The app’s founder, Pavel Durov, hit back via Twitter noting that getting access to the syslog was hard and there are far easier ways to read text that’s been copy and pasted because “any app can read your clipboard.”

He also noted that the app was quickly patched after the vulnerability was disclosed, so current Telegram app users should be leak free.

Its strong focus on security and privacy has helped Telegram’s usage skyrocket with both privacy-minded consumers as well as the more criminal-minded.

This vulnerability probably posed a bigger danger to the app’s reputation than its users. However, the fact that this was swiftly addressed and patched should reduce the impact for both.

That said, with Facebook potentially rolling out end-to-end encryption for its own Messenger, services like Telegram no doubt are looking over their shoulder more than before.