The desktop variant for the Telegram secure messaging app fails to protect chat content locally and provides access to plain text conversations and media that travel otherwise encrypted.
Telegram’s emphasis on providing secure communications is well known. The app uses encryption to ensure that a third party cannot read conversations on the way to the destination.
A feature called “secret chats” is available for those who want complete privacy for their communication, using end-to-end encryption to ensure that only the sender and recipient can access the content.
These precautions are against tampering or breach of privacy during transport; conversations and media files Telegram office local stores are fairly easy to access and read as they are not encrypted.
Nathanael Suchy was able to read the application database and messages stored in it. In a conversation with BleepingComputer, Suchy said that Telegram uses “a somewhat difficult to read, but otherwise unencrypted, SQLite database to store messages.”
By analyzing the converted raw data into a simpler visualization format, Suchy also found names and phone numbers that can be correlated with each other. Even so, the information is not easy to read, but custom scripts could help bring out the details in a more intelligible way and automate the extraction.
Telegram does not encrypt its SQLite database and leaves plain text messages on the system. The same goes with Signal, a discovery also credited to Suchy.
Telegram Desktop offers password protection to prevent unauthorized access to the app, but this security option does not add encryption. An overly curious, tech-savvy computer user might still read your chats.
The researcher also tested the “secret chat” functionality. It turns out that all messages go to the same database whether or not they have end-to-end encryption.
Media files have no different fate. Darkening seems to be the only protection against their extraction. Suchy was able to change the extension type to image in order to display it.
Saving data locally in plain text is not something to expect from a secure messaging app. When French hacker and entrepreneur Matt Suiche first discovered this behavior with Signal, he couldn’t believe it.
Joshua Lund, Community and Support Manager at Signal, says encryption at rest is not something the desktop variant of the app tries to provide. The same argument holds for Telegram; both apps aim to deliver communications that cannot be spied on, and they do. Even so, it’s strange that the encryption doesn’t extend to the locale.
Protection of locally stored data is possible by enabling full disk encryption from the operating system. This is available on Windows via BitLocker, on macOS via FileVault; the functionality is also present on Linux, some reputable distributions making it available during the installation routine.
BleepingComputer tried to contact the Telegram team for comment but received no response at the time of posting.
Update 10/31/18: This problem affects the Telegram for macOS version only.