Telegram leaked IP addresses of its desktop app users !!

Telegram leaked IP addresses of its desktop app users !!

The vulnerability affected Telegram’s desktop app for Windows, Mac, and Linux OS.
elegram is reputed to be one of the most secure messaging platforms out there
Telegram, a popular privacy-focused instant messaging application, reportedly contained a bug that can leak the IP addresses of users. Known for providing end-to-end encryption, Telegram’s desktop app has been discovered to be leaking not just public but private IP addresses of its users by-default during voice calls and users cannot turn off the feature.

This refers that, anyone and everyone attempting to make a voice call will be vulnerable to cyber-attacks. Telegram has, however, fixed the bug in one of the latest updates and the security researcher who identified the bug has been awarded EUR 2,000 by the company.

Bug was identified by security researcher Dhiraj Mishra. According to Mishra, the desktop version of the Telegram app was leaking IP addresses during voice calls made via a peer-to-peer framework. Smartphone users can turn off P2P calls by modifying the settings: Settings > Privacy and security > Calls > Peer-To-Peer but desktop users of Telegram aren’t offered this option.

Telegram offers two unique features namely Secret Chat and Nobody. Through Secret Chat, users can enable end-to-end encrypted calls/chats while with Nobody option users can prevent their IP addresses from being exposed during voice calls. When someone enabled Nobody option, the voice calls are routed through Telegram’s servers. Mishra identified that Nobody option isn’t available for desktop users, which means the location of every desktop app user will be vulnerable to exposure and all an attacker needs to do to obtain someone’s IP address is to make a call. As soon as the call is picked, the IP address gets revealed.

Telegram Fixes the Flaw
The security expert reported the vulnerability to Telegram via a Proof of Concept (PoC) video and the company soon patched it by rolling out an update which introduced the option to disable the P2P settings. As a reward for finding the flaw, Mishra was awarded €2,000 as a bug bounty.

Telegram boasts of a worldwide fan following with a whopping 200 million active users as of March 2018 and it is touted to be an ultra-secure messaging app that lets users make secure voice calls over the internet. But the discovery of a vulnerability in the most hyped feature of the app in its official desktop version does raise concerns. Classified as CVE-2018-17780, the vulnerability affected Telegram’s desktop app for Windows, Mac, and Linux OS.