The Telegram encrypted messaging app released version 5.11 of their mobile client to fix a serious privacy bug that could allow a recipient to view images or files even after they were deleted by the sender. As this app has over 100 million downloads from the Google Play Store alone, this could be a major privacy violation for many users.

In March, Telegram released a new feature that allows a sender to delete a sent message and have it removed from all recipient's devices. This was added as an extra layer of privacy in the event a file, image, or message was sent by accident or the sender later decides they wanted it removed.

While researching Telegram's MTProto protocol, security researcher Dhiraj Mishra discovered a bug in Telegram related to the message deletion feature.

He noticed that when a sender deleted a message, image, or file from Telegram it would be removed from both the sender's and recipient's conversation, but would still reside locally on the device. For Android users, this would allow a recipient to still be able to view the deleted media under the `/Telegram/Telegram Images/`path.

This bug not only affects the deletion of media from individual conversations, but also when sending files to a Telegram supergroup. This means that if a user sent a file by mistake to the group and then deletes it thinking that it would no longer be accessible, in reality every member of the group could access the file from their device's filesystem.

"The highlighted issue is valid when we talk about Telegram "supergroups" as well, assume a case wherein you're a part of a group with 2,000,00 members and you accidentally share a media file not meant to be shared in that particular group and proceed to delete, by checking "delete for all members" present in the group," Mishra stated in his writeup. "You're relying on a functionality that is broken since your file would still be present in storage for all users."

To illustrate how this bug worked, Mishra created a YouTube video demonstration, which can be watched below.

Mishra was only able to test this bug on Android, but assumes it would exist on both the desktop and iOS versions as well.

After reporting the bug, Telegram awarded the researcher with a €2,500 bounty. This bug was fixed in version 5.11, which was released today for both Android and iOS.

Users are strongly advised to install this update to fix the bug, but Mishra told us that this release most likely only fixes the bug. This means that any previously deleted media that were not properly deleted in the previous version will still be available on a recipient's device.

BleepingComputer has contacted Telegram to confirm what clients were affected and will update the article when we hear back.