Security researcher Kirill Firsov found a data leak in the popular messaging app Telegram. In the OS X version, text that was copied-and-pasted into the app was also written to the file /var/log/system.log
, better known as the syslog, creating a sort of ad-hoc and unnoticed backup of any private conversations or notes.
Official #Telegram for MacOS logs every pasted message to syslog, even in secret chats. @durov what's going on? pic.twitter.com/MvbWguAkT0
— Kirill Firsov (@k_firsov) July 23, 2016
Telegram was created specifically to be a secure messenger – one of many that has appeared on the market recently – and describes itself as the “more secure alternative” to common messaging apps like WhatsApp.
Macs keep their system logs for seven days but an attacker would normally need physical access to a machine to read them. In corporate environments system, however, log messages are sometimes forwarded to a dedicated logging server, which would create a copy of the text beyond the user’s control as well as opportunities for it to be snooped on-the-wire.
The app’s founder, Pavel Durov, hit back via Twitter noting that getting access to the syslog was hard and there are far easier ways to read text that’s been copy and pasted because “any app can read your clipboard.”
(2)… AppStore apps can NOT access syslog (starting 10.12 also true for unsigned apps). But ANY app can read your clipboard.
— Pavel Durov (@durov) July 24, 2016
He also noted that the app was quickly patched after the vulnerability was disclosed, so current Telegram app users should be leak free.
Its strong focus on security and privacy has helped Telegram’s usage skyrocket with both privacy-minded consumers as well as the more criminal-minded.
This vulnerability probably posed a bigger danger to the app’s reputation than its users. However, the fact that this was swiftly addressed and patched should reduce the impact for both.
That said, with Facebook potentially rolling out end-to-end encryption for its own Messenger, services like Telegram no doubt are looking over their shoulder more than before.
Bryan
In corporate environments system, however, log messages are sometimes forwarded to a dedicated logging server, which would create a copy of the text beyond the user’s control as well as opportunities for it to be snooped on-the-wire.
Also where one finds dedicated syslog servers, one will generally find log archives far older than seven days.
Paul Ducklin
There’s also the issue that, without some sort of clipboard add-on, the previous contents of your clipboard get bumped out and replaced every time you hit Wacky-C (or Wacky-X), so the contents are often soon purged, often by inconsequential text that follows something critical. (Indeed, if I’ve had something in the clipboard that I don’t want to risk pasting somewhere else by mistake, I often deliberately copy something pointless, like a punctuation mark.)
Bryan
…but would an exclamation point still qualify?
:-)
On the other side of that characteristic, I’ve lamented more than a few times it’d be nice to have a handful of paste buffers like in vim–though there’s likely “an app for that.” Copying a line of error code you’re debugging doesn’t help if you get pulled aside for a moment to send a printer driver download link to someone….shift-insert, D’OH!
Paul Ducklin
I used to have a super-duper clipboard enhancer thing for OS X but I stopped using it because its history buffer left a lot lying around that I had to keep remembering to clear out. It sounds as though the Telegram commenter wouldn’t consider this a security risk because any other app could have read from the clipboard itself already.
By all means remind people that the clipboard is intended for sharing dara between processes and thus that it can expose personal data unexpectedly…but don’t use that as an excuse for writing transient user data to the system log by mistake. (Would this excuse also cover accidentally posting all clipboard contents to an external web server? “Hey, we used HTTPS!” :-)
Bryan
Yes, we announced your PII to a thousand people, but you’re overreacting…
We were at White Hat Con, so there’s nothing to worry about.
Jay
Bbm still the best of them…