Telegram’s main selling point is that their chat network is secure and private, but it appears the company has failed users on the Mac on both accounts.
Security researcher Dhiraj Mishra has discovered that Telegram was not actually deleting so-called “self-destructing” videos on the MacOS computers of recipients.
The issue is that Telegram was saving all media to the same directory, which was visible in regular chats, but hidden in private chats. The media was still however being stored in the same location, which was accessible to the end-user, who could then simply view and copy the media from there.
Mishra also discovered a second vulnerability in the MacOS software. Users can apply a passcode to open the app, but this password was being stored in plain text in a JSON file which could be read by anyone with access to the computer.
Mishra has informed Telegram of the issues, and they have fixed them with version 7.4 of the app, but the issue reflects very badly on the security of the app in general.