Telegram which is an end-to-end encrypted messaging app which emphasize on security and privacy has been found leaking both users’ private and public IP addresses by default during voice calls. This leak of IP addresses is found in the desktop version of Telegram.
With more than 200 million monthly active users Telegram proclaims themselves as an ultra-secure instant messaging service which could let their users make end-to-end encrypted chat and voice call with other users over the Internet.
This vulnerability dubbed as CVE-2018-17780 was disclosed by security researcher Dhiraj Mishra and it was found in the official Desktop version of Telegram (tdesktop) for Windows, Mac, and Linux, and Telegram Messenger for Windows apps. The leakage of IP was done by default during voice calls due to its peer-to-peer (P2P) framework.
In order to improve the voice quality, Telegram uses a P2P framework for establishing a direct connection between the two users while initiating a voice call, exposing the IP addresses of the two participants.
Telegram provides the ‘Secret Chat’ option for users who want their chats to be end-to-end encrypted. Besides the company also offer another option called “Nobody,” in which users can prevent their IP addresses from being exposed during voice calls.
While enabling this feature it will cause your Telegram voice calls to be routed through Telegram’s servers, which will eventually decrease the audio quality of the call.
Dhiraj found that this Nobody option is available to mobile users only and not for the desktop version revealing the location of all desktop users regardless of how careful they might be.
Hackers have to just make a call to get an IP address of a target system. When the recipients pick a call, this vulnerability will disclose their IP address.
Dhiraj reported his findings to the Telegram team, and the company patched the issue in both 1.3.17 beta and 1.4.0 versions of Telegram for Desktop by providing an option of setting your “P2P to Nobody/My Contacts.”
Users can enable this by changing the options in Settings → Private and Security → Voice Calls → Peer-To-Peer to Never or Nobody.
Leakage of IP addresses for an app that claims to be secure is a real concern.
Dhiraj also discovered and reported a separate flaw (CVE-2018-17613) in Telegram for Desktop that leaks SOCKS5 proxy credentials in plaintext, when used, as it is an optional feature.
Dhiraj says that “The link which gets generated have the password in plaintext, SOCKS5 is a transport protocol, and by itself, it is not encrypted. Requests transmit the credentials in plain text which is considered a bad security practice,”
“However, the URL which gets generated via telegram is in HTTPS but, URI producers should not provide a URI that contains a username or password that is intended to be secret. URIs are frequently displayed by browsers, stored in clear text bookmarks, and logged by user agent history and intermediary applications (proxies).”
Telegram team is aware of this flaw but they have no plans to fix it anytime soon, as the company believes the feature is working as intended.