A researcher that goes by the name Dmitrii decided that the bouty award, coupled with the delay in response, from Telegram after he disclosed a safety flaw in the app, was enough for him to release an auto-delete bug, Telegram had offered a bounty award to Dmitrii of $1,159 if he chose not to release the information. Due to Telegram failing to fix the problem, and the low amount of money Telegram offered, it is assumed Dmitrii chose to release the information.
Researcher refuses Telegram’s bounty award, discloses auto-delete bug
From arstechnica.com
2021-10-04 14:12:18
Ax Sharma
Excerpt:
Telegram patched another image self-destruction bug in its app earlier this year. This flaw was a different issue from the one reported in 2019. But the researcher who reported the bug isn’t pleased with Telegram’s months-long turnaround time—and an offered $1,159 (€1,000) bounty award in exchange for his silence.
…mononymous researcher Dmitrii discovered a concerning flaw in how the Telegram Android app had implemented self-destruction.
Because each instance of self-destruction takes at least 24 hours to run, Dmitrii’s tests spanned a few days.
“After only a few days… having shown diligence, I achieved what I was looking for: Messages that should be auto-deleted from participants in private and private group chats were only ‘deleted’ visually [in the messaging window], but in reality, picture messages remained on the device [in] the cache,” the researcher wrote in a roughly translated blog post published last week.