Telegram messenger just fixed a bug that stored a picture you sent via a message even if you ‘unsend’ the message. The vulnerability, discovered by security researcher Dhiraj Mishra, affected the messenger’s last stable version (5.10.0 (1684)) before the update.
Mishra said on his blog the app stored images in the “/Telegram/Telegram Images/” folder in the phone‘s internal storage even if a user chooses to remove it for all users. Horrifically, this applied to group chats as well which can have as many as 200,000 members.
The video below shows the bug in action.
The messenger launched the unsend feature in 2017 that allows you to delete a message for everyone in the chat. Mishra had also tried replicating this bug in messengers such as WhatsApp, but the unsend feature worked as intended for those apps.
Telegram has released a new version (5.11) on September 5 to fix this bug.
You can read more about the anomaly here.