CVE-2018-3986
An exploitable information disclosure vulnerability exists in the “Secret Chats” functionality of the Telegram Android messaging application version 4.9.0. The “Secret Chats” functionality allows a user to delete all traces of a chat, either by using a time trigger or by direct request. There is a bug in this functionality that leaves behind photos taken and shared on the secret chats, even after the chats are deleted. These photos will be stored in the device and accessible to all applications installed on the Android device.
Telegram Messaging Application for Android 4.9.0
4.2 - CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
CWE-359: Exposure of Private Information (‘Privacy Violation’)
When a user takes a picture to send over a secret chat, a copy of that photo will remain on the Android filesystem even after the user deletes the chat, or even if the chat is self-destructed.
The problem lies in the way Telegram takes the photo upon user request. Looking at the source code, specifically at the file org/telegram/ui/ChatActivity.java, we see the following:
try {
Intent takePictureIntent = new Intent(MediaStore.ACTION_IMAGE_CAPTURE);
File image = AndroidUtilities.generatePicturePath();
if (image != null) {
if (Build.VERSION.SDK_INT >= 24) {
takePictureIntent.putExtra(MediaStore.EXTRA_OUTPUT, FileProvider.getUriForFile(getParentActivity(), BuildConfig.APPLICATION_ID + ".provider", image));
takePictureIntent.addFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
takePictureIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
} else {
takePictureIntent.putExtra(MediaStore.EXTRA_OUTPUT, Uri.fromFile(image));
}
currentPicturePath = image.getAbsolutePath();
}
startActivityForResult(takePictureIntent, 0);
}
Telegram uses the MediaStore.ACTION_IMAGE_CAPTURE intent to take the picture. This means that the photo is actually taken by the application that is registered to act upon this action. Although Telegram Messenger passes the path to save the picture it doesn’t control what that application does with the photo.
In most cases the native camera application will save the photo on the Android file system next to the picture that’s saved on the system to the path passed by the Telegram Messenger.
This means that when a secret chat is deleted, Telegram Messenger deletes the photo which resides in the path it provided to Mediastore, but not the one saved by the native camera application.
In order to avoid this issue Telegram should implement its own photo taking code using the Camera2 class (the Camera class could also be used but it as been deprecated on API level 21). This way the application can ensure that the photo data is not saved by a third party application.
2018-08-31 - Vendor Disclosure
2018-12-21 - Public Release
Discovered by Vitor Ventura of Cisco Talos.