The desktop version of the security and privacy-focused, end-to-end encrypted messaging app, Telegram, has been found leaking both users’ private and public IP addresses by default during voice calls.
With 200 million monthly active users as of March 2018, Telegram promotes itself as an ultra-secure instant messaging service that lets its users make end-to-end encrypted chat and voice call with other users over the Internet.
Security researcher Dhiraj Mishra uncovered a vulnerability (CVE-2018-17780) in the official Desktop version of Telegram (tdesktop) for Windows, Mac, and Linux, and Telegram Messenger for Windows apps that was leaking users’ IP addresses by default during voice calls due to its peer-to-peer (P2P) framework.
To improve voice quality, Telegram by default uses a P2P framework for establishing a direct connection between the two users while initiating a voice call, exposing the IP addresses of the two participants.
However, just like Telegram provides the ‘Secret Chat’ option for users who want their chats to be end-to-end encrypted, the company does offer an option called “Nobody,” which users can enable to prevent their IP addresses from being exposed during voice calls.
Enabling this feature will cause your Telegram voice calls to be routed through Telegram’s servers, which will eventually decrease the audio quality of the call.
However, Mishra found that this Nobody option is only available to mobile users, and not for Telegram for Desktop (tdesktop) and Telegram Messenger for Windows apps, revealing the location of all desktop users regardless of how careful they might be otherwise.
Mishra reported his findings to the Telegram team, and the company patched the issue in both 1.3.17 beta and 1.4.0 versions of Telegram for Desktop by providing an option of setting your “P2P to Nobody/My Contacts.”
Users can enable the option by heading towards Settings → Private and Security → Voice Calls → Peer-To-Peer to Never or Nobody.
Mishra was also awarded a €2,000 (about $2,300) bug bounty for finding and responsibly disclosing the issue to the company.
Leaking of IP addresses for an app that’s meant to be secured is a real concern and does serve as a reminder that you can’t blindly depend on even the most secure and privacy-focused services.
Earlier this year, the desktop version for Telegram was also found to be affected by a zero-day vulnerability that had been exploited in the wild since the past year to spread malware that mines cryptocurrencies.
Source : THN