Skip to content
Naked Security Naked Security

Secure messaging app Telegram leaks anything pasted in to it

The app was quickly patched so users with the latest Telegram release should be leak free
Written by
August 01, 2016
Naked Security App Data Leak messaging Privacy Telegram

Security researcher Kirill Firsov found a data leak in the popular messaging app Telegram. In the OS X version, text that was copied-and-pasted into the app was also written to the file /var/log/system.log, better known as the syslog, creating a sort of ad-hoc and unnoticed backup of any private conversations or notes.

Telegram was created specifically to be a secure messenger – one of many that has appeared on the market recently – and describes itself as the “more secure alternative” to common messaging apps like WhatsApp.

Macs keep their system logs for seven days but an attacker would normally need physical access to a machine to read them. In corporate environments system, however, log messages are sometimes forwarded to a dedicated logging server, which would create a copy of the text beyond the user’s control as well as opportunities for it to be snooped on-the-wire.

The app’s founder, Pavel Durov, hit back via Twitter noting that getting access to the syslog was hard and there are far easier ways to read text that’s been copy and pasted because “any app can read your clipboard.”

He also noted that the app was quickly patched after the vulnerability was disclosed, so current Telegram app users should be leak free.

Its strong focus on security and privacy has helped Telegram’s usage skyrocket with both privacy-minded consumers as well as the more criminal-minded.

This vulnerability probably posed a bigger danger to the app’s reputation than its users. However, the fact that this was swiftly addressed and patched should reduce the impact for both.

That said, with Facebook potentially rolling out end-to-end encryption for its own Messenger, services like Telegram no doubt are looking over their shoulder more than before.

About the Author

I'm a geek who loves to get people fired up about security and privacy. Tweeting about infosec, Star Trek, road cycling, and video games over at @mvarmazis.

Read Similar Articles

6 Comments

In corporate environments system, however, log messages are sometimes forwarded to a dedicated logging server, which would create a copy of the text beyond the user’s control as well as opportunities for it to be snooped on-the-wire.

Also where one finds dedicated syslog servers, one will generally find log archives far older than seven days.

There’s also the issue that, without some sort of clipboard add-on, the previous contents of your clipboard get bumped out and replaced every time you hit Wacky-C (or Wacky-X), so the contents are often soon purged, often by inconsequential text that follows something critical. (Indeed, if I’ve had something in the clipboard that I don’t want to risk pasting somewhere else by mistake, I often deliberately copy something pointless, like a punctuation mark.)

…but would an exclamation point still qualify?
:-)

On the other side of that characteristic, I’ve lamented more than a few times it’d be nice to have a handful of paste buffers like in vim–though there’s likely “an app for that.” Copying a line of error code you’re debugging doesn’t help if you get pulled aside for a moment to send a printer driver download link to someone….shift-insert, D’OH!

I used to have a super-duper clipboard enhancer thing for OS X but I stopped using it because its history buffer left a lot lying around that I had to keep remembering to clear out. It sounds as though the Telegram commenter wouldn’t consider this a security risk because any other app could have read from the clipboard itself already.

By all means remind people that the clipboard is intended for sharing dara between processes and thus that it can expose personal data unexpectedly…but don’t use that as an excuse for writing transient user data to the system log by mistake. (Would this excuse also cover accidentally posting all clipboard contents to an external web server? “Hey, we used HTTPS!” :-)

Yes, we announced your PII to a thousand people, but you’re overreacting…

We were at White Hat Con, so there’s nothing to worry about.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?