[chatmasta]

I find it hard to believe that Telegram did not respond to the author. How can one company simultaneously host a $200k security contest, yet not respond to a simple email disclosing a vulnerability?

[IshKebab]

Because this isn't really a vulnerability. It's "if you completely control the device that is sending/receiving encrypted messages, you can read the messages."

There's literally no way to defend against this attack. About the best they could do is show a warning like "Warning: The version of Android you are using contains vulnerabilities attackers could use to take control of your phone. Please update your softw... buy a new phone to get the latest version of Android."

[theonewolf]

Yeah...it doesn't feel like a true vulnerability...feels like just padding the "vulnerability" counter :p

[theonewolf]

Perhaps because the attacks/exploits were more against the device/OS and not against the app itself?

It is unsurprising that text can be found unencrypted in memory---even while during rendering it has to be decrypted somewhere.

The only mildly surprising/troubling thing was unencrypted data stored in the file one disk on the phone.

[chatmasta]

I think at this point we are getting into the semantics of what qualifies as a "vulnerability." I agree there's very little telegram can do about this, but that doesn't lessen the validity of the attack. At the very least, they could respond to the bug report. To ignore it seems highly unprofessional.