This popular Telegram privacy feature is practically useless for some users

News
By published

Telegram’s self-destructing messages are not what they seem

Telegram
(Image credit: Telegram)

Security researchers have uncovered a simple way to circumvent the self-destructing messages feature in popular chat application Telegram.

In a blog post, security company Trustwave detailed two separate vulnerabilities in Telegram for macOS, both of which compromise the effectiveness of the privacy feature.

The first can be abused to retrieve message data (images, video messages, voice recordings and shared locations) even after the self-destruct process has been triggered, while the latter lets someone access media without opening the message and setting off the self-destruct timer.

Both scenarios are made possible by the way in which Telegram stores message content in cache on macOS devices, but other operating systems are not affected.

Telegram privacy features

The self-destructing messages option is housed within the Telegram Secret Chat mode, which offers users an additional layer of privacy and security afforded by end-to-end encryption. This means no third-party has access to the messages sent to and fro, including Telegram.

Self-destructing messages are supposed to take this a step further, allowing users to set a timer after which messages and associated media are deleted from both devices without a trace. However, the two bugs discovered by Trustwave appear to render the feature effectively obsolete.

Trustwave says it reported both security issues to Telegram, which took action to plug up one but not the other. At the time of writing, Telegram for macOS can still be abused to gain access to media files without opening a self-destructing message.

As a justification for the decision to leave the second issue unaddressed, Telegram provided researchers with the following statement:

“Please note that the primary purpose of the self-destruct timer is to serve as a simple way to auto-delete individual messages. However, there are some ways to work around it that are outside what the Telegram app can control (like copying the app’s folder), and we clearly warn users about such circumstances.”

In its blog post, Trustwave also notes that it was forced to decline the offer of a bug bounty reward, the receipt of which would have prevented the researchers from disclosing their findings to the public.

“Bug bounties are a welcome reward for individual researchers providing what amounts to a security audit that results in a better product and a more secure user base,” wrote Reegun Jayapaul, Lead Threat Architect.

“However, bug bounties that require permanent silence about a vulnerability do not help the broader community to improve their security practices and can serve to raise questions about what exactly the bug bounty is compensating the individual for - reporting a vulnerability or their silence to the community.”

Telegram has not yet responded to our request for a response to this criticism.

Joel Khalili
Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

Read more
Collage of hand with a key and a smartphone
Is it possible to send a truly anonymous message?
Android phone malware
This nasty Android malware is posing as the Telegram Premium app
Kaspersky Report on Stalkerware
Security flaw in popular stalkerware apps is exposing phone data of millions
Young woman using mobile phone
Best encrypted messaging app for Android of 2025
Telegram
New Golang malware is hijacking Telegram to help itself spread
ignal messaging application President Meredith Whittaker poses for a photograph before an interview at the Europe's largest tech conference, the Web Summit, in Lisbon on November 4, 2022.
"We will not walk back" – Signal would rather leave the UK and Sweden than remove encryption protections
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
More about security
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak

A major Keenetic router data leak could put a million households at risk
HDD

Seagate teams with Nvidia to build an NVMe hard drive proof of concept, more than 3 years after its last effort
See more latest
Most Popular
HDD
Seagate teams with Nvidia to build an NVMe hard drive proof of concept, more than 3 years after its last effort
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Sony WF-C710N in blue glass on beige background
Sony WF-C710 earbuds land, and I think they'll be the 2025 budget buds to beat
The RIG M2 Streamstar attached to a boom arm.
The RIG M2 Streamstar has the world's first Bluetooth audio gateway in a wired gaming microphone