Secure messaging app Telegram leaks anything pasted in to it
Security researcher Kirill Firsov found a data leak in the popular messaging app Telegram. In the OS X version, text that was copied-and-pasted into the app was also written to the file /var/log/system.log, better known as the syslog, creating a sort of ad-hoc and unnoticed backup of any private conversations or notes.
Telegram was created specifically to be a secure messenger – one of many that has appeared on the market recently – and describes itself as the “more secure alternative” to common messaging apps like WhatsApp.
Macs keep their system logs for seven days but an attacker would normally need physical access to a machine to read them. In corporate environments system, however, log messages are sometimes forwarded to a dedicated logging server, which would create a copy of the text beyond the user’s control as well as opportunities for it to be snooped on-the-wire.
The app’s founder, Pavel Durov, hit back via Twitter noting that getting access to the syslog was hard and there are far easier ways to read text that’s been copy and pasted because “any app can read your clipboard.”
source | nakedsecurity