CVE-2018-3986

Vulnerability

In Telegram Android version 4.9.0, the "Secret Chats" functionality that allows users to delete all traces of a chat, either by time trigger or direct request, contains a bug that leaves behind photos taken and shared during the secret chat. The photos are stored on the device filesystem and remain even after the chat is deleted. The issue originates in org/telegram/ui/ChatActivity.java, where the application uses the MediaStore.ACTION_IMAGE_CAPTURE intent to take a picture. Telegram does not ensure that the photo file is removed upon deletion of the secret chat [1].

Exploitation

An attacker must have physical or remote access to the device and be able to run any application on the Android device. The attacker does not need elevated privileges beyond what a normal Android app has. By browsing the device storage, the attacker can locate the leftover photo files that were taken and shared in secret chats that the user believed were deleted [1].

Impact

Successful exploitation leads to unauthorized disclosure of private photos that the user intended to delete. The information disclosure violates user privacy, as the photos remain accessible to any application installed on the device, even after the secret chat is deleted. This is classified as CWE-359: Exposure of Private Information ('Privacy Violation') [1].

Mitigation

As of the publication date (2019-01-03), no fix had been released by Telegram. Users should update to a version later than 4.9.0 once a patch is available. As a workaround, users can manually delete the photo files from the device storage after sending them in a secret chat, though this is not automated. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.