Talos Vulnerability Report

TALOS-2018-0654

Telegram Android Secret Chats Information Disclosure Vulnerability

December 21, 2018
CVE Number

CVE-2018-3986

Summary

An exploitable information disclosure vulnerability exists in the "Secret Chats" functionality of the Telegram Android messaging application version 4.9.0. The "Secret Chats" functionality allows a user to delete all traces of a chat, either by using a time trigger or by direct request. There is a bug in this functionality that leaves behind photos taken and shared on the secret chats, even after the chats are deleted. These photos will be stored in the device and accessible to all applications installed on the Android device.

Tested Versions

Telegram Messaging Application for Android 4.9.0

Product URLs

http://www.telegram.org

CVSSv3 Score

4.2 - CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-359: Exposure of Private Information ('Privacy Violation')

Details

When a user takes a picture to send over a secret chat, a copy of that photo will remain on the Android filesystem even after the user deletes the chat, or even if the chat is self-destructed.

The problem lies in the way Telegram takes the photo upon user request. Looking at the source code, specifically at the file org/telegram/ui/ChatActivity.java, we see the following:

try {
Intent takePictureIntent = new Intent(MediaStore.ACTION_IMAGE_CAPTURE);
File image = AndroidUtilities.generatePicturePath();
    if (image != null) {
        if (Build.VERSION.SDK_INT >= 24) {
            takePictureIntent.putExtra(MediaStore.EXTRA_OUTPUT,             FileProvider.getUriForFile(getParentActivity(), BuildConfig.APPLICATION_ID + ".provider", image));
            takePictureIntent.addFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
            takePictureIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
        } else {
            takePictureIntent.putExtra(MediaStore.EXTRA_OUTPUT, Uri.fromFile(image));
        }
        currentPicturePath = image.getAbsolutePath();
    }
    startActivityForResult(takePictureIntent, 0);
}   

Telegram uses the MediaStore.ACTIONIMAGECAPTURE intent to take the picture. This means that the photo is actually taken by the application that is registered to act upon this action. Although Telegram Messenger passes the path to save the picture it doesn't control what that application does with the photo.

In most cases the native camera application will save the photo on the Android file system next to the picture that's saved on the system to the path passed by the Telegram Messenger.

This means that when a secret chat is deleted, Telegram Messenger deletes the photo which resides in the path it provided to Mediastore, but not the one saved by the native camera application.

In order to avoid this issue Telegram should implement its own photo taking code using the Camera2 class (the Camera class could also be used but it as been deprecated on API level 21). This way the application can ensure that the photo data is not saved by a third party application.

Timeline

2018-08-31 - Vendor Disclosure
2018-12-21 - Public Release

Credit

Discovered by Vitor Ventura of Cisco Talos.