Desktop Telegram users showing off not only their silly selfies but also their IP addresses

Researcher earns $2,000 for unmasking flaw

6 Reg comments Got Tips?

Telegram has paid out a €2,000 bounty to a researcher who uncovered a vulnerability that caused the messaging app to expose users' IP addresses. The programming blunder has been fixed in the latest version.

Dhiraj Mishra took credit for the discovery and reporting of CVE-2018-17780, a vulnerability in the Windows and tdesktop (GitHub) versions of Telegram that, under specific settings, would allow a user to view the IP address of anyone they call.

Mishra told The Register the flaw stems from Telegram's default settings to allow some users to place peer-to-peer calls. When P2P calls are made, the Telegram log file on the caller's machine shows the IP address of the person being called.

On certain versions of Telegram (such as iOS, and Android) users can turn off the logging by disabling the P2P option the privacy settings in the "calls" menu. Disabling Peer2Peer will force all calls to be routed through Telegram's own server, obscuring the IP addresses of both parties.

kids in classroom with raised hands

Back to school soon – for script kiddies as well as normal kids. Hackers peddle cybercrime e-classes via Telegram


This option, however, was not given to the desktop Windows and tdesktop builds. Because of this, users who took calls on their desktop machines were susceptible to having their IP address logged, not something you generally want in a secure communications platform.

"Telegram is supposedly a secure messaging application, but it forces clients to only use P2P connection while initiating a call, however this setting can also be changed from "Settings > Privacy and security > Calls > peer-to-peer" to other available options," Mishra said.

"The tdesktop and telegram for windows breaks this trust by leaking public/private IP address of end user and there was no such option available yet for setting "P2P > nobody" in tdesktop and Telegram for Windows."

Mishra told The Register that he reported the flaw, along with a proof of concept, to Telegram. The bug has since been patched, and Mishra took home a tidy €2,000 bounty.

Those running the desktop versions of Telegram will want to make sure they have the latest version installed, which now sport fixes for the vulnerability, and, if they want to prevent all IP address logging, disable P2P calling. ®


Biting the hand that feeds IT © 1998–2020