Telegram writes in the syslog messages inserted from the clipboard, including in secret chats

Kirill Isis Firsov, known for finding vulnerabilities and bugs in popular web projects, reported on his Twitter about finding an interesting feature in Telegram Messenger and receiving a response from Pavel Durov in the “feature, not bug” style: all messages pasted from the clipboard , including in secret chats, are written to the log on the device.

Pavel Durov answered Cyril in a Twitter correspondence and said that this problem was observed only on a Mac, and it was in Telegram Messenger, not Telegram Desktop. Pavel also said that applications from the AppStore can only write to syslog, but they do not have read permissions.


Commentary by Kirill Firsov:

It is clear that you should not trust the keyboard and other programs can intercept it, but we are talking about Telegram and its security.

You can imagine the situation: I’m a deputy, I bought a laptop and installed Telegram from the monitor. I conduct business correspondence, copying important information from a document (which is on a usb flash drive) into the window of my interlocutor. The dialogue is over, the secret chat is removed, the flash drive is destroyed. A week later, I come across a malware (virus) and my important information is no longer just mine.
')
You can also add about the possibility of reading this information by the competent authorities.

Telegram claims that it pays for reporting vulnerabilities in its own applications, but this is not the case - you first had to write about the bug at security@telegram.org, because of Kirill’s public tweet, the company refused to pay him for the vulnerability, and official letter.

The developer of the application, Mikhail Filimonov, informed Kirill in personal correspondence that the bug was fixed and the nearest update would close the vulnerability.