Telegram is one of the secure messaging platforms out there. Telegram is a cloud-based instant messaging and voice over IP service developed by Telegram Messenger LLP, a privately held company registered in London, United Kingdom, founded by the Russian entrepreneur Pavel Durov. Telegram client apps are available for Android, iOS, Windows Phone, Windows NT, macOS, and Linux.
Messages and media in Telegram are only client-server encrypted and stored on the servers by default. The service provides end-to-end encryption for voice calls, and optional end-to-end encrypted “secret” chats between two online users, yet not for groups or channels
A security researcher recently discovered a vulnerability in Telegram’s desktop client which leaked the IP address of users while making calls.
Dhiraj Mishra, the security expert who uncovered the flaw, spotted that the Telegram Messenger for Windows and Telegram for Desktop did not offer the tool to disable Peer-to-Peer (P2P) calls, which means the IP address of users would be left exposed whenever they make calls. The Telegram app offers a feature called peer-to-peer calling which can be enabled or disabled by users. When the P2P feature is disabled, all calls made by users are routed through Telegram’s servers to hide the IP address, however, disabling the feature leads to a depreciation in the audio quality during the call.
What Was The Flaw?
Telegram for Desktop and the Telegram Messenger for Windows do not offer the option to disable such calls, which means the IP addresses can be intercepted by a third party. The security researcher revealed that if the P2P feature is not disabled or is absent, the Telegram server IP, the caller’s IP as well as the receiver’s IP are leaked. So, how can the vulnerability be exploited? Well, a hacker only needs to call you on Telegram’s desktop client to know your IP address
Telegram Fixes the Flaw
The security expert reported the vulnerability to Telegram via a Proof of Concept (PoC) video and the company soon patched it by rolling out an update which introduced the option to disable the P2P settings. As a reward for finding the flaw, Mishra was awarded €2,000 as a bug bounty.