A hidden flaw in the secure messaging service Telegram could expose users' passwords, a researcher has found The service also has the potential to expose media files from self-destructing messages

Dhiraj Mishra, a security consultant working in Dubai, revealed in a blog post yesterday (February 11) that Telegram's Mac desktop client stores audio and video files from self-destruct messages indefinitely

He did some more digging and discovered that the Mac Telegram client also stores user passwords in plain text Neither of these security lapses is a good thing Malware or a cunning intruder could have found both files

"Telegram has failed again in terms of handling user data," Mishra wrote in a blog post sarcastically titled "The 'P' in Telegram Stands for Privacy"

Mishra writes that Mac's client properly deleted the self-destructive messages But if the message had video or audio files attached to it, those files could be buried deep in the Mac's file system Anyone or anything can find them, if they know where to look

Passwords were written in plain text in the user's Telegram metadata, which could also be found by an attacker

Mishra told Bleeping Computer that he reported the flaw to Telegram in December and received a €3,000 bug bounty

Telegram fixed both flaws in a 74 update in late January; if you are using Telegram on a Mac, make sure your client software is up to date

Telegram has seen a recent surge in new users after WhatsApp's privacy permission changes prompted an exodus from the Facebook-owned service

Many security experts do not believe Telegram is very secure to use for sensitive communications Instead, they recommend the Signal service, which uses the same encryption as WhatsApp

At the end of his blog, Mishra embedded Elon Musk's now-famous "Use Signal" tweet, clearly stating his position on the issue (See how to do that here)