Wow. Shipping an extra NSLog statement in a privacy-focused app is an embarrassing mistake, but the response[1] from Pavel, Telegram's founder/CEO, should be the real story:
> @k_firsov This applies only to texts that were copy-pasted from clipboard, and such texts are open to all other Mac apps anyway (1).
> (2)... AppStore apps can NOT access syslog (starting 10.12 also true for unsigned apps). But ANY app can read your clipboard.
> (3)... AppStore apps are sandboxed and can only WRITE to syslog, not READ it
> (4)... Malware apps are unsigned/not from AppStore and so, of course, are not sandboxed. But it'd be a game over scenario.
> ...(5) So while copy-paste can not be secure anyway, I see such logging in the stable release redundant and will see it gone.
> ...(6) However, if you find anything really serious, let us know at security@telegram.org to claim your potential bounty. Thanks.
Basically, he's saying this isn't a problem because other App Store apps shouldn't be able to read syslog, and any malicious app already present on the machine could be reading the clipboard in real time. But he willfully ignores the fact that by saving clipboard data to the syslog, it can be accessed much later by a non-App Store app or someone with possession of the machine.
1 comment
[ 6.0 ms ] story [ 23.9 ms ] thread> @k_firsov This applies only to texts that were copy-pasted from clipboard, and such texts are open to all other Mac apps anyway (1).
> (2)... AppStore apps can NOT access syslog (starting 10.12 also true for unsigned apps). But ANY app can read your clipboard.
> (3)... AppStore apps are sandboxed and can only WRITE to syslog, not READ it
> (4)... Malware apps are unsigned/not from AppStore and so, of course, are not sandboxed. But it'd be a game over scenario.
> ...(5) So while copy-paste can not be secure anyway, I see such logging in the stable release redundant and will see it gone.
> ...(6) However, if you find anything really serious, let us know at security@telegram.org to claim your potential bounty. Thanks.
Basically, he's saying this isn't a problem because other App Store apps shouldn't be able to read syslog, and any malicious app already present on the machine could be reading the clipboard in real time. But he willfully ignores the fact that by saving clipboard data to the syslog, it can be accessed much later by a non-App Store app or someone with possession of the machine.
[1] https://mobile.twitter.com/k_firsov/status/75687561187282124...