CVE-2019-16248

Vulnerability

CVE-2019-16248 affects Telegram for Android versions prior to 5.11. The “delete for” feature, which allows a sender to delete a sent message on the recipient’s side, does not remove shared media files from the recipient’s device storage. Specifically, images remain accessible in the /Telegram/Telegram Images/ directory on the device [1][2]. This affects both private chats and supergroups [2].

Exploitation

An attacker (sender) sends a media file to a victim (recipient) and then uses Telegram’s “Also delete for” feature, believing the file will be removed from the victim’s device. However, the media file persists in the victim’s local storage under the Telegram Images folder [1][2]. No additional authentication or special privileges are required; the attacker only needs to be a Telegram user who can send messages to the victim. The victim can later access the stored image outside the Telegram app [2].

Impact

The direct impact is a violation of the sender’s expectation of privacy and control over previously sent media. The feature fails to achieve its intended effect, potentially allowing a recipient to retain a copy of a confidential image that the sender attempted to delete. The attacker gains no broader system compromise, but the confidentiality of the sent media is undermined [1][2].

Mitigation

Telegram fixed this issue in version 5.11 for Android, released in September 2019 [1][2]. Users should update to the latest version from the Google Play Store or the official Telegram website. There is no known public KEV listing for this CVE. No workaround is available other than avoiding the use of the “delete for” feature on unpatched versions.