Critical Vulnerability in Telegram Leaks User IP Addresses

• A vulnerability was found in messaging app Telegram due to a voice call bug.
• The IP addresses of users appeared in the logs stored in telegram servers for hours instead of being encrypted.
• Users also did not have the option of turning off P2P, which could have prevented the issue.

Telegram has been amidst a lot of controversies this year, and the popular messaging app finds itself in troubled waters yet again. The desktop client of the app was found leaking both public and private IP addresses of users when voice calls were initiated. Since the voice call feature makes use of P2P functionality, the phone numbers were not encrypted which left users vulnerable to data thefts.

Telegram has already addressed the issue and the researcher who found the issue has been awarded EUR 2,000. The messaging app released an official statement "We’ve found and fixed the issue which our tester had. It turns out that during the sign in process, the API returned no value for the option. Then immediately after the user was signed in, the API returned the correct default value. But it could take up to several hours for the client to refresh this configuration. So before we fixed this, the apps could display “everyone” in the settings for an hour or two after a fresh login."

The security bug was reported by security researcher Dhiraj Mishra who revealed that the desktop app was leaking IP addresses during calls. Smartphone options have the option of turning off P2P calls, but the feature is not available to desktop users. All voice calls on the desktop version of Telegram create a connection between both users and exchanges data packets.

As stated in the previous thread. Sorry, something not right here.https://t.co/g0JblyYNWe

— Lawrence Abrams (@LawrenceAbrams) September 29, 2018

The issue has been fixed in the latest 1.3.17 beta and 1.4 versions of the app. Users have been requested to update the app and head to Settings > Privacy and security > Calls > Peer-To-Peer. Choosing the ‘Nobody’ option in the menu will stop P2P technology being used for calls, which will safeguard users.

What do you think about the security flaw found in Telegram? Let us know in the comments below. If you could share the article online, it would also be great so others can find it too. Come chat with us on Facebook and Twitter.