back to article That Telegram feature that let you delete your private messages on recipients' phones? It didn't work properly

Telegram has fixed a bug that broke one of its chat app's key privacy features: the ability to fully delete your sensitive messages on recipients' phones. The software claimed it could effectively recall messages you sent to your friends: recalled chats were said to be deleted from their devices. However, bug-bounty hunter …

  1. RobThBay

    They make it sound like remote-delete is something new. Maybe it is to Telegram, but RIM's/Blackberry's BBM had that feature at least 8 years ago. It's too bad BBM wasn't made cross-platform before all the copycats appeared on the scene.

  2. Anonymous Coward
    Anonymous Coward

    Loose lips?

    I suppose "if you wouldn't want to see it on the front page of the _Times_, do not put it on the internet" no longer applies? Yes, yes, this is a messaging app and not a website or social media thought-vomit bin, but still ... discretion, anyone?

  3. Joe W Silver badge

    In the folder

    If it was in a folder on the file system the recipient could have grabbed a copy anyway? It would have shown up in the gallery app, and could have been shared e.g. by email or another chat app, or a local copy could have been created?

    Ah, well. Such is life. You cannot reliably unpublish stuff, just as much as you cannot unsay things (well, 1984 etc...). But as I was told "A spoken word has fled like a bird and cannot be caught again", or something along these lines.

    1. lglethal Silver badge

      Re: In the folder

      "A spoken word has fled like a bird and cannot be caught again",

      Unless its caught on camera or a microphone, in which casse you're just as screwed!

      1. Anonymous Coward
        Anonymous Coward

        Re: In the folder

        Even before then. It was said thousands of years ago. To paraphrase: Do not speak it in your private room, because you do not know if a bird will hear it and fly away to tell others.

  4. Claptrap314 Silver badge
    Paris Hilton

    Is it not encrypted?

    As mentioned, files stored on file systems are trivially copied. If they were encrypted, it would at least take some technical know-how to view them outside the app. Is this not being done?

    1. Snake Silver badge

      Re: Is it not encrypted?

      This is a basic security flaw that has now been openly exposed. Once a file is written to storage, all one must do is run an undelete app (or root privileges) on the device to retrieve the file system marker. You then can retrieve the file and either view it directly, if unencrypted (which most Telegram-saved images are), or have the time to leisurely work on cracking open the encryption.

      No bueno.

    2. Lee T

      Re: Is it not encrypted?

      Regardless of encryption, the analog hole always exists - take a screenshot of the image, take a picture of the screen of the phone/PC, whatever. If it's visible to a person, it's copyable.

      1. Anonymous Coward
        Anonymous Coward

        Re: Is it not encrypted?

        I don't think anyone is suggesting using the remote delete after viewed by a user. But using it before. What's the point of deleting after the fact, if they did see it, they probably shared/copied it anyhow.

  5. clocKwize

    Anything that happens outside of your control is not guaranteed and should be treated as such. When I use "Also delete for X", it is in the knowledge that I'm really just trying to avoid confusion and keep the chat history tidy, I have no expectation that the other person never saw it and won't have it stored in some kind of chat log somewhere.

    Fine, if you're using Telegram to transfer top-secret secret documents - I hear it's protocol encryption is pretty good (but I do not know for sure). But if you are - maybe just have the 1 chat with your MI5 contact on it, keep your 1000 person cat gif group chat separate.

    1. Kurgan

      I had once wrote a wrong message (nothing worth of notice) to my wife, so I just deleted it (and deleted for her, too) instead of just messaging her again saying that the previous message was wrong because blah blah blah. She called me and said that a strange thing happened: she had a notification with a message from me (and she could read the first 4 or 5 words of it) but then the message was nowhere to be found...

      So I explained the "delete" function, and that the message was wrong so I just deleted it.

      But still she was able to read the notification AFTER I deleted the message, so, basically, you cannot unsend what you have sent.

      1. clocKwize

        Yes that's a likely occurrence and has also happened to me. People get notifications for messages received, if they're looking at their phone when it comes in, they'll see it before you delete it, even if they haven't read the message and be confused when they go to read it fully and there is nothing there.

        Many things happen between sending a message and it being read. It just isn't that simple.. People expect it to be and get sad though.

  6. Dhobi Whallah

    Ahem.... THOSE types of images? Oh dear...

    ". . confidential image . . was mistakenly sent to Alice. . "

    Ah yes, we've all "accidentally" sent images of our most precious body parts to strangers called Alice. C'est la vie.

  7. Anonymous Coward
    Anonymous Coward

    Easy solution.

    I can think of at least one working solution that would allow 99.99% confidence or greater that the entire message is deleted. Better yet, it would also know if it was read. It would also work if both phones were offline/off grid.

    It's probably not unique... and really easy to figure out. But I'll still not mention it, as no one is paying me masses to release broken apps, let alone working ones.

    1. Anonymous Coward
      Thumb Up

      Re: Easy solution.

      Thanks for the downvote! At least one person then does not know how public/private keys work, or how to send encrypted messages separately to the decryption keys! XD

      If the key is never sent, then you know for certain it is "deleted", and never opened.

  8. Flywheel Silver badge

    Quick! Let's check Whatsapp as well...

    ... and see if those pesky absentee Parliamentarians' private mumblings can be made public!

  9. iron Silver badge

    The grammar of this guy's quotes is terrible.

    This quote doesn't make any sense: "I found that since Telegram takes `read/write/modify` permission of the USB storage which technically means the confidential photo should have been deleted from Alice's device or storage"

    Nor does this one: "the word privacy of Telegram fails here again"

  10. Adrian 4 Silver badge

    Why would you want to replace your copy of the app with one that deletes what it's told to ? Wouldn't you rather keep the version that doesn't delete it ?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022