Telegram vulnerability causes IP address leaking

Share this…

A security investigator discovered the flaw

Dhiraj Mishra, researcher on cybersecurity and ethical hacking discovered a default configuration in Telegram that could expose the IP address of its users when calls are made this way.

Supposedly Telegram is a secure messaging application, but it forces customers to use only the P2P connection while they initiate a call, however, this configuration can also be changed from “Settings > Privacy and Security > Calls > point to Point” to other options available.

According to specialists in ethical hacking the versions of Telegram for Windows break this confidence by leaking the public/private IP address of the end user and there was still no such option available to configure “P2P > Nobody” in the desktop versions of Telegram.

Even Telegram for Android could also leak your IP address if you have not edited “Settings > Privacy and Security > Calls > point to point > Nobody” (but the configuration of equal to equal for the call option already exists in Telegram for Android).

To see this in tdesktop, experts in ethical hacking comment:

  • Open tdesktop
  • Start call to anyone
  • You will notice that the IP address of the end user is leaked

One more scenario:

  • Open tdesktop in Ubuntu and register with the user A
  • Allow user B to initiate a call to the user A

This problem was solved in the versions 1.3.17 Beta and V 1.4.0, which have the option to configure their “P2P to anyone/My Contacts”, later, the registry CVE-2018-17780 was assigned to this vulnerability.

According to specialists in ethical hacking from the International Institute of Cyber Security, the researcher who reported this vulnerability received €2k as a reward from the Telegram security team.