Security researcher Dhiraj Mishra found a security flaw in maOS application version 7.3 that allowed access to audio and video messages in chats that self-destruct . These chats are end-to-end encrypted and can be automatically deleted from both sender and receiver after the time selected by the user.
However, this flaw put the security of those chats at risk since the content could be accessed even later. that supposedly they had expired. The researcher reported his findings to Telegram on December 26, 2020, and the service resolved the issue in version 7.4 that was released on January 29.
On the other hand, Mishra also identified a second vulnerability in Telegram's macOS application that stored local passwords in plain text in a JSON file located at “/ Users / <user_name> / Library / Group Containers / <*>. Ru.keepcoder.Telegram / accounts-metadata / “as reported by the Hacker News site .
Mishra received 3,000 euros for reporting the two flaws as part of his bug bounty program. Companies often launch this type of initiative to encourage errors to be found in order to optimize the security of their products.
It should be remembered that, unlike Signal or WhatsApp, conversations on Telegram are not encrypted from one end to the other. by default, unless users enable secret chats , which keeps data encrypted even on Telegram's servers. And at this point it should be noted that there is no such option for group chats, so there is no point-to-point encryption alternative for group chats.
With end-to-end encryption only the receiver and the sender can see the content of a message and is protected in case it is intercepted on the way. This means that, even if it goes through an intermediary server, the company would have no way of accessing the content of the message.
The messaging service had to go out to clarify this on repeated occasions and even published a statement on its official blog about it after the confusion generated by the announcement of the new policies in several users.
The main novelty is that a function was added so that companies can store and manage their WhatsApp Business chats using the infrastructure of Facebook hosting. It is optional and not mandatory. Then, when the user contacts a company that uses WhatsApp Business and has chosen this new service, then that company will be able to see the information that is being shared and could use it for their own marketing purposes, which could include the use advertising on Facebook.
The user will be notified when a company with which he interacts through WhatsApp is using Facebook's hosting services. "In order to ensure that you are properly informed, we added an indicator in conversations with companies that chose to use Facebook's web hosting services," it is reported on the official WhatsApp blog.
Outside of all this, controversy also arose because the magnifying glass was placed on the amount of data from the users that WhatsApp collects that is greater than that collected by Telegram or Signal. Although this is not new, in the last time and after the controversy this issue has been put on the table again.