The vulnerability affects not only the removal of files from separate dialogs, but also when sending attachments to the Telegram supergroup.
Version 5.11 has been released for the Telegram cross-platform messenger mobile client, fixing a vulnerability that allows the recipient to view images or files even after they have been deleted by the sender.
In March, Telegram implemented a new feature that allows the user to delete a sent message from all recipient devices. It was added as an additional level of confidentiality in case the file, image or message was sent accidentally, or the sender later decided to delete it.
Security researcher Dhiraj Mishra discovered an error in the Telegram MTProto protocol related to the delete message feature. When the sender deletes a message, image or file from Telegram, it is deleted from the dialogue of both the sender and the recipient, but it will still remain on the device. Users of Android devices in this case will still be able to view deleted files.
The vulnerability affects not only the removal of multimedia files from separate dialogs, but also the sending of files to the Telegram supergroup. If the user sent the file by mistake to the group and then deleted it, then each member of the group will still be able to access it from the file system of the device. Mishra tested the vulnerability only on the Telegram version for Android, but believes that the issue may also affect the release for iOS.
After reporting an error, Telegram rewarded the researcher with a payment of € 2,500.