The desktop version of the security and privacy-focused, end-to-end encrypted messaging app, Telegram, has been found leaking both users’ private and public IP addresses by default during voice calls.
With 200 million monthly active users as of March 2018, Telegram promotes itself as an ultra-secure instant messaging service that lets its users make end-to-end encrypted chat and voice call with other users over the Internet.
Security researcher Dhiraj Mishra uncovered a vulnerability (CVE-2018-17780) in the official Desktop version of Telegram (tdesktop) for Windows, Mac, and Linux, and Telegram Messenger for Windows apps that was leaking users’ IP addresses by default during voice calls due to its peer-to-peer (P2P) framework.
To improve voice quality, Telegram by default uses a P2P framework for establishing a direct connection between the two users while initiating a voice call, exposing the IP addresses of the two participants.
Telegram Calls Could Leak Your IP Address
However, just like Telegram provides the ‘Secret Chat’ option for users who want their chats to be end-to-end encrypted, the company does offer an option called “Nobody,” which users can enable to prevent their IP addresses from being exposed during voice calls.
Enabling this feature will cause your Telegram voice calls to be routed through Telegram’s servers, which will eventually decrease the audio quality of the call.
However, Dhiraj found that this Nobody option is only available to mobile users, and not for Telegram for Desktop (tdesktop) and Telegram Messenger for Windows apps, revealing the location of all desktop users regardless of how careful they might be otherwise.
To get an IP address of someone, all an attacker needs to do is initiate a call. Even if the recipients do not pick the call, monitoring network traffic will reveal their IP address.
Dhiraj reported his findings to the Telegram team, and the company patched the issue in both 1.3.17 beta and 1.4.0 versions of Telegram for Desktop by providing an option of setting your “P2P to Nobody/My Contacts.”
Users can enable the option by heading towards Settings → Private and Security → Voice Calls → Peer-To-Peer to Never or Nobody.
Dhiraj was also awarded a €2,000 (about $2,300) bug bounty for finding and responsibly disclosing the issue to the company.
Leaking of IP addresses for an app that’s meant to be secured is a real concern and does serve as a reminder that you can’t blindly depend on even the most secure and privacy-focused services.
Telegram Messenger Leaks SOCKS5 Proxy Credentials (Unpatched)
Besides this, Dhiraj also discovered and reported a separate flaw (CVE-2018-17613) in Telegram for Desktop that leaks SOCKS5 proxy credentials in plaintext, when used, as it is an optional feature.
“The link which gets generated have the password in plaintext, SOCKS5 is a transport protocol, and by itself, it is not encrypted. Requests transmit the credentials in plain text which is considered a bad security practice,” Dhiraj said.
“However, the URL which gets generated via telegram is in HTTPS but, URI producers should not provide a URI that contains a username or password that is intended to be secret. URIs are frequently displayed by browsers, stored in clear text bookmarks, and logged by user agent history and intermediary applications (proxies).”
Though Telegram team is aware of this flaw, it has no plans to fix it anytime soon, as the company believes the feature is working as intended.
Earlier this year, the desktop version for Telegram was also found to be affected by a zero-day vulnerability that had been exploited in the wild since the past year to spread malware that mines cryptocurrencies.