A bug in the Telegram Messager app logged anything its users pasted into their chats in its syslog on macOS, even if they had opted for the end-to-end encrypted "secret" mode.
The vulnerability was spotted earlier this month by Russian infosec operative Kirill Firsov, who directly and publicly challenged Telegram's flamboyant founder and chief Pavel Durov about the app's latest security flaw.
Official #Telegram for MacOS logs every pasted message to syslog, even in secret chats. @durov what's going on? pic.twitter.com/MvbWguAkT0
— Kirill Firsov (@k_firsov) July 23, 2016
In an angry reply, Durov admitted that the vuln existed, but insisted it "applies only to texts that were copy-pasted from clipboard, and such texts are open to all other Mac apps anyway."