25 July 2016

Russian security researcher Kirill Isis Firsov discovered vulnerability in a popular secure messaging program Telegram for MacOS. According to researcher’s tweet, the application logs all pasted into Telegram messages into syslog. This includes messages, pasted into secret chats.

This vulnerability may allow a local attacker to read all pasted texts, which were sent using Telegram. Vulnerability is confirmed by developer in the latest version of Telegram Messenger for Mac. Telegram Desktop is not vulnerable.

Syslog cannot be read by regular applications, installed from AppStore. However if there is malware on your device, it can elevate privileges and read those secret texts. And since this “feature” of Telegram was not documented anywhere, you cannot know that copies of all pasted texts are in syslog and can be accessible by unauthorized parties.

The developer of Telegram Mikhail Philiminov promised to the researcher, that this bug will be fixed in the next version of Telegram. On the meantime, we suggest cleaning your syslog files.