With 200 ane M m monthly active users every bit of March 2018, Telegram promotes itself every bit an ultra-secure minute messaging service that lets its users brand end-to-end encrypted chat too phonation telephone call back alongside other users over the Internet.
Security researcher Dhiraj Mishra uncovered a vulnerability (CVE-2018-17780) inward the official Desktop version of Telegram (tdesktop) for Windows, Mac, too Linux, too Telegram Messenger for Windows apps that was leaking users' IP addresses yesteryear default during phonation calls due to its peer-to-peer (P2P) framework.
To amend phonation quality, Telegram yesteryear default uses a P2P framework for establishing a straight connecter betwixt the 2 users spell initiating a phonation call, exposing the IP addresses of the 2 participants.
Telegram Calls Could Leak Your IP Address
However, but similar Telegram provides the 'Secret Chat' choice for users who desire their chats to move end-to-end encrypted, the companionship does offering an choice called "Nobody," which users tin strength out enable to forbid their IP addresses from existence exposed during phonation calls.
Enabling this characteristic volition crusade your Telegram phonation calls to move routed through Telegram's servers, which volition eventually decrease the well lineament of the call.
However, Dhiraj found that this Nobody choice is alone available to mobile users, too non for Telegram for Desktop (tdesktop) too Telegram Messenger for Windows apps, revealing the place of all desktop users regardless of how careful they mightiness move otherwise.
To become an IP address of someone, all an assaulter needs to arrive at is initiate a call. As presently every bit the recipients pick a call, the flaw volition give away their IP address.
Dhiraj reported his findings to the Telegram team, too the companionship patched the number inward both 1.3.17 beta too 1.4.0 versions of Telegram for Desktop yesteryear providing an choice of setting your "P2P to Nobody/My Contacts."
Users tin strength out enable the choice yesteryear heading towards Settings → Private too Security → Voice Calls → Peer-To-Peer to Never or Nobody.
Dhiraj was too awarded a €2,000 (about $2,300) põrnikas bounty for finding too responsibly disclosing the number to the company.
Leaking of IP addresses for an app that's meant to move secured is a existent draw of piece of occupation organization too does serve every bit a reminder that you lot can't blindly depend on fifty-fifty the most secure too privacy-focused services.
Telegram Messenger Leaks SOCKS5 Proxy Credentials (Unpatched)
"The link which gets generated convey the password inward plaintext, SOCKS5 is a carry protocol, too yesteryear itself, it is non encrypted. Requests transmit the credentials inward manifestly text which is considered a bad safety practice," Dhiraj said.
"However, the URL which gets generated via telegram is inward HTTPS but, URI producers should non render a URI that contains a username or password that is intended to move secret. URIs are often displayed yesteryear browsers, stored inward clear text bookmarks, too logged yesteryear user agent history too intermediary applications (proxies)."Though Telegram squad is aware of this flaw, it has no plans to cook it anytime soon, every bit the companionship believes the characteristic is working every bit intended.
Earlier this year, the desktop version for Telegram was too found to move affected yesteryear a zero-day vulnerability that had been exploited inward the wild since the yesteryear twelvemonth to spread malware that mines cryptocurrencies.
