Researcher refuses Telegram’s bounty award, discloses auto-delete bug

Telegram patched one other picture self-destruction bug in its app earlier this 12 months. This flaw was a unique problem from the one reported in 2019. However the researcher who reported the bug is not happy with Telegram’s months-long turnaround time—and an supplied €1,000 ($1,159) bounty award in trade for his silence.

Self-destructed photos remained on the gadget

Like different messaging apps, Telegram permits senders to set communications to “self-destruct,” such that messages and any media attachments are mechanically deleted from the gadget after a set time period. Such a function provides prolonged privateness to each the senders and the recipients intending to speak discreetly.

In February 2021, Telegram launched a set of such auto-deletion options in its 2.6 launch:

  • Set messages to auto-delete for everybody 24 hours or 7 days after sending
  • Management auto-delete settings in any of your chats, in addition to in teams and channels the place you might be an admin
  • To allow auto-delete, right-click on the chat within the chat checklist > Clear Historical past > Allow Auto-Delete

However in a couple of days, mononymous researcher Dmitrii found a regarding flaw in how the Telegram Android app had applied self-destruction.

As a result of every occasion of self-destruction takes no less than 24 hours to run, Dmitrii’s assessments spanned a couple of days.

“After only some days… having proven diligence, I achieved what I used to be on the lookout for: Messages that must be auto-deleted from individuals in non-public and personal group chats have been solely ‘deleted’ visually [in the messaging window], however in actuality, image messages remained on the gadget [in] the cache,” the researcher wrote in a roughly translated weblog publish printed final week.

Tracked as CVE-2021-41861, the flaw is somewhat easy. Within the Telegram Android app variations 7.5.0 to 7.8.0, self-destructed photos stay on the gadget within the /Storage/Emulated/0/Telegram/Telegram Picture listing after roughly two to 4 makes use of of the self-destruct function. However the UI seems to point to the person that the media was correctly destroyed.

Telegram requests “confidentiality” in trade for a bounty reward

However for a easy bug like this, it wasn’t straightforward to get Telegram’s consideration, Dmitrii defined. The researcher contacted Telegram in early March. And after a collection of emails and textual content correspondence between the researcher and Telegram spanning months, the corporate reached out to Dmitrii in September, lastly confirming the existence of the bug and collaborating with the researcher throughout beta testing. For his efforts, Dmitrii was supplied a €1,000 ($1,159) bug bounty reward.

Though many firms with bug bounty applications supply financial rewards to moral hackers who determine and responsibly report vulnerabilities, disclosure of the safety flaws is usually permitted after an agreed-upon interval of 60 or 90 days.

“Having studied the contract despatched by e mail by a Telegram consultant, I drew consideration to the truth that Telegram requires [me] to not disclose any particulars of cooperation/technical particulars by default with out its written approval,” wrote Dmitrii, referring to the eight-page-long settlement the corporate offered the researcher.

Telegram’s bug bounty reward settlement.

Since then, the researcher claims he has been ghosted by Telegram, which has given no response and no reward. “I’ve not obtained the promised reward from Telegram in €1,000 or some other,” he wrote.

Curiously, in 2019, a separate bug additionally referring to the self-destruct function was reported by one other researcher who walked away with a better bug bounty—a €2,500 ($2,897) reward somewhat than a measly €1,000.

Telegram’s vulnerability reporting program, managed by HackerOne, can also be unclear in regards to the firm’s accountable disclosure protocol. The doc hyperlinks additional to a FAQ that mentions “bounties” and “Cracking Contests” organized by Telegram, however there may be nothing about if or when safety points may be disclosed.

The newest model of the Telegram Android app launched on September 22, as seen by Ars, is v8.1.2 on the Google Play Retailer, though the reported bug was possible patched in an earlier model. Regardless, Telegram customers ought to replace their app to the newest model to obtain present and future safety updates.

Ars reached out to Telegram for remark upfront, however we have not heard again.



Source link