TL;DR: Update Telegram’s macOS clients to version 2.28 or newer. Earlier versions leak URLs from secret chats. NCSC-FI has released an advisory in English.

Updated 2016–11–22: Added a link to the English language advisory.

The previous blog post describes the reasons why we created URI:teller. Around October 26 our very own Jani Kenttälä (janikenttala) was putting URI:teller through its paces by testing the bajillion different messengers he has installed on his Mac. One of those apps was Telegram’s macOS client. That particular client fetched link previews via an external Telegram server, even for secret chats which are supposed to be end-to-end encrypted. Uh-oh

Jani and Ossi demonstrating the effect with Telegram macOS 2.27.51100.

We promply reported this to Juhani Eronen of NCSC-FI. Based on NCSC-FI’s additional testing the macOS client was alone in leaking URLs from secure chats, other official Telegram mobile/desktop clients did not do so. NCSC-FI in turn contacted Telegram, who issued a fix in the client version 2.28. The update is now available from Telegram’s website and the Mac App Store.

Check NCSC-FI’s advisory in English. We thank both NCSC-FI and Telegram for their quick actions on this issue. And of course Jani will get a magnificent bonus for his heroic effort.