CVE-2021-27205
Description
Telegram before 7.4 (212543) Stable on macOS stores the local copy of self-destructed messages in a sandbox path, leading to sensitive information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Telegram for macOS before 7.4 stored self-destructed messages in a sandbox-accessible path, leading to sensitive information disclosure.
Vulnerability
In Telegram for macOS versions before 7.4 (212543) Stable, self-destructed messages sent in secret chats were not properly deleted from the local file system. Instead, the application stored the decrypted message data (e.g., audio/video files) in a sandbox temporary directory (/var/folders/.../T/). This data remained on disk even after the message self-destructed and disappeared from the chat interface [1].
Exploitation
An attacker with access to the same macOS sandbox environment, such as a malicious application or a local user with file system access, could navigate to the temporary directory and retrieve the stored message files before they were cleaned up (typically on app restart). No special privileges beyond sandbox access are required [1].
Impact
Successful exploitation allows an attacker to read the content of self-destructed messages, defeating the privacy protection intended by the secret chat feature. This leads to unauthorized disclosure of sensitive information that the user expected to be permanently deleted [1].
Mitigation
The vulnerability was fixed in Telegram for macOS version 7.4 (212543) Stable, released on or around February 2021. Users should update to this version or later to ensure self-destructed messages are properly removed from disk. No workaround is available for older versions [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Telegram/Telegramdescription
- Range: < 7.4 (212543) Stable
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Telegram for macOS stores self-destructed secret chat messages (audio/video) in a temporary sandbox path even after the messages are deleted from the chat, instead of securely erasing the local copies."
Attack vector
An attacker with local filesystem access to the macOS sandbox path (e.g., /var/folders/.../T/) can recover audio/video messages that were sent in a secret chat and should have been self-destructed [ref_id=1]. The messages are stored as .mp4 files in a predictable temporary directory and are not removed when the self-destruct timer expires [ref_id=1]. No network attack or special privileges beyond local access to the sandbox are required.
Affected code
The advisory does not specify exact function names or file paths. The bug affects Telegram for macOS versions before 7.4 (212543) Stable, specifically in the handling of self-destructing audio/video messages in secret chats [ref_id=1]. The application stores recorded media in a temporary sandbox path (e.g., /var/folders/.../T/) as .mp4 files without cleaning them up after self-destruction [ref_id=1].
What the fix does
The advisory states the vulnerability was patched in Telegram version 7.4 (212543) Stable for macOS [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably ensures that temporary copies of self-destructed secret chat media are securely deleted when the message destructs. The vendor awarded a 3000 EURO bounty for the report [ref_id=1].
Preconditions
- accessAttacker must have local filesystem access to the macOS sandbox temporary directory of the Telegram user.
- configThe victim must use Telegram for macOS version prior to 7.4 (212543) Stable and send or receive self-destructing audio/video messages in a secret chat.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.inputzero.io/2020/12/telegram-privacy-fails-again.htmlmitrex_refsource_MISC
- www.youtube.com/watchmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.