A security investigator discovered the flaw
Dhiraj Mishra, researcher on cybersecurity and ethical hacking discovered a default configuration in Telegram that could expose the IP address of its users when calls are made this way.
Supposedly Telegram is a secure messaging application, but it forces customers to use only the P2P connection while they initiate a call, however, this configuration can also be changed from “Settings > Privacy and Security > Calls > point to Point” to other options available.
According to specialists in ethical hacking the versions of Telegram for Windows break this confidence by leaking the public/private IP address of the end user and there was still no such option available to configure “P2P > Nobody” in the desktop versions of Telegram.
Even Telegram for Android could also leak your IP address if you have not edited “Settings > Privacy and Security > Calls > point to point > Nobody” (but the configuration of equal to equal for the call option already exists in Telegram for Android).
To see this in tdesktop, experts in ethical hacking comment:
- Open tdesktop
- Start call to anyone
- You will notice that the IP address of the end user is leaked
One more scenario:
- Open tdesktop in Ubuntu and register with the user A
- Allow user B to initiate a call to the user A
This problem was solved in the versions 1.3.17 Beta and V 1.4.0, which have the option to configure their “P2P to anyone/My Contacts”, later, the registry CVE-2018-17780 was assigned to this vulnerability.
According to specialists in ethical hacking from the International Institute of Cyber Security, the researcher who reported this vulnerability received €2k as a reward from the Telegram security team.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.