- Joined
- Jun 13, 2020
- Messages
- 7,018
- Reaction score
- 908
- Points
- 212
- Awards
- 2
The desktop version of the security and privacy-focused, end-to-end encrypted messaging app, Telegram, has been found leaking both users' private and public IP addresses by default during voice calls.
With 200 million monthly active users as of March 2018, Telegram promotes itself as an ultra-secure instant messaging service that lets its users make end-to-end encrypted chat and voice call with other users over the Internet.
Security researcher Dhiraj Mishra uncovered a vulnerability (CVE-2018-17780) in the official Desktop version of Telegram (tdesktop) for Windows, Mac, and Linux, and Telegram Messenger for Windows apps that was leaking users' IP addresses by default during voice calls due to its peer-to-peer (P2P) framework.
To improve voice quality, Telegram by default uses a P2P framework for establishing a direct connection between the two users while initiating a voice call, exposing the IP addresses of the two participants.
Telegram Calls Could Leak Your IP Address#
However, just like Telegram provides the 'Secret Chat' option for users who want their chats to be end-to-end encrypted, the company does offer an option called "Nobody," which users can enable to prevent their IP addresses from being exposed during voice calls.
Enabling this feature will cause your Telegram voice calls to be routed through Telegram's servers, which will eventually decrease the audio quality of the call.
However, Dhiraj found that this Nobody option is only available to mobile users, and not for Telegram for Desktop (tdesktop) and Telegram Messenger for Windows apps, revealing the location of all desktop users regardless of how careful they might be otherwise.
To get an IP address of someone, all an attacker needs to do is initiate a call. As soon as the recipients pick a call, the flaw will reveal their IP address.
Dhiraj reported his findings to the Telegram team, and the company patched the issue in both 1.3.17 beta and 1.4.0 versions of Telegram for Desktop by providing an option of setting your "P2P to Nobody/My Contacts.
With 200 million monthly active users as of March 2018, Telegram promotes itself as an ultra-secure instant messaging service that lets its users make end-to-end encrypted chat and voice call with other users over the Internet.
Security researcher Dhiraj Mishra uncovered a vulnerability (CVE-2018-17780) in the official Desktop version of Telegram (tdesktop) for Windows, Mac, and Linux, and Telegram Messenger for Windows apps that was leaking users' IP addresses by default during voice calls due to its peer-to-peer (P2P) framework.
To improve voice quality, Telegram by default uses a P2P framework for establishing a direct connection between the two users while initiating a voice call, exposing the IP addresses of the two participants.
Telegram Calls Could Leak Your IP Address#
However, just like Telegram provides the 'Secret Chat' option for users who want their chats to be end-to-end encrypted, the company does offer an option called "Nobody," which users can enable to prevent their IP addresses from being exposed during voice calls.
Enabling this feature will cause your Telegram voice calls to be routed through Telegram's servers, which will eventually decrease the audio quality of the call.
However, Dhiraj found that this Nobody option is only available to mobile users, and not for Telegram for Desktop (tdesktop) and Telegram Messenger for Windows apps, revealing the location of all desktop users regardless of how careful they might be otherwise.
To get an IP address of someone, all an attacker needs to do is initiate a call. As soon as the recipients pick a call, the flaw will reveal their IP address.
Dhiraj reported his findings to the Telegram team, and the company patched the issue in both 1.3.17 beta and 1.4.0 versions of Telegram for Desktop by providing an option of setting your "P2P to Nobody/My Contacts.