The desktop variant for Telegram secure messaging app fails to protect chat content locally and offers access to plain text conversations and media that otherwise travel encrypted.
Telegram’s focus on providing secure communication is well known. The app uses encryption to ensure that a third party cannot read the conversations on their way to the destination.
A feature called ‘secret chats’ is available for those that want complete privacy for their communication, by using end-to-end encryption to guarantee that only the sender and the receiver can access the contents.
These precautions are against tampering or breaking privacy in transit; the conversations and media files Telegram Desktop stores locally are fairly easy to access and read because they are not encrypted.
Nathaniel Suchy was able to read the app's database and the messages saved there. In a conversation with BleepingComputer Suchy said that Telegram uses “a somewhat difficult to read, but otherwise, not encrypted, SQLite Database to store messages.”
By analyzing raw data converted to a simpler viewing format, Suchy also found names and phone numbers that could be correlated to one another. Even so, the information is not easy to read, but custom scripts could help make the details stand out in a more intelligible way and automate the extraction.
Telegram does not encrypt its SQLite database and leaves the messages lying in plain text on the system. The same happens with Signal, a discovery also credited to Suchy.
Telegram Desktop features password protection to prevent unauthorized access to the app, but this security option does not add encryption. A tech-savvy overly curious computer user could still read your chats.
The researcher tested the ‘secret chat’ feature, too. It turns out that all the messages go to the same database, whether they benefit from end-to-end encryption or not.
Media files have no different fate. Obfuscation seems to be the only protection against extracting them. Suchy was able to change the extension type to a picture in order to view it.
Saving data locally in plain text is not something to expect from a secure messaging app. When French hacker and entrepreneur Matt Suiche first discovered this behavior with Signal he couldn’t believe it.
Joshua Lund, Community and Support Manager at Signal, says that at-rest encryption is not something that the desktop variant of the app tries to provide. The same argument stands for Telegram; both apps aim to offer communications that cannot be eavesdropped, and they do achieve this. Even so, it is odd that encryption does not extend to the local environment.
Protecting the data saved locally is possible by enabling full disk encryption from the operating system. This is available on Windows through BitLocker, on macOS through FileVault; the feature is present on Linux as well, some big-name distributions making it available during the installation routine.
BleepingComputer tried to contact the Telegram team for comments but received no reply at the time of publishing.
Update 10/31/18: This issue is affecting the Telegram for macOS version only.