Telegram flaw allows hackers to track users’ location

A report published by cybersecurity researcher Ahmed Hassan mentions that the “People Nearby” feature, which allows Telegram users to see who is in nearby locations, could be abused by threat actors to triangulate the location of unsuspecting users.

While the feature is disabled by default, users who enable it ignore that, by doing so, they might reveal their location with a high degree of accuracy.

La imagen tiene un atributo ALT vacío; su nombre de archivo es telegram0601202101.jpg

This feature lists Telegram users within a radius of approximately 2.5 kilometers. According to the Expert Advisor, it is possible to impersonate a user’s location by calculating the distance between three different points and accurately pointing out the location of the target user.

All malicious hackers need to fake a location is to walk in the given area, collect its latitude and longitude, and determine how far away the target user is.

Hassan also mentions that it is possible to complete the attack using a GPS forgery tool: “Any app available on the Play Store is functional for the attack; attackers should only install apps like GPS Spoof and create three locations close to the user within an 11-kilometre radius.”

La imagen tiene un atributo ALT vacío; su nombre de archivo es telegram0601202102.jpg

Using these three locations, threat actors could use tools like Google Earth Pro to connect counterfeit locations and calculate the midpoint between the three: “I successfully tested the attack with an app user,” the researcher says.

In this regard, Telegram mentions that this is not considered a security flaw, so the report was rejected: “The function is disabled by default; while it is possible to determine a user’s location under specific conditions, this report is not covered by our vulnerability bounty program.”

To prevent this from happening again, the company could round users’ locations to the nearest mile to avoid sending accurate locations. In addition, Hassan recommends adding random noise to the function in a similar way to what Tinder did when an identical issue was reported on the platform.