The desktop version of Telegram has been discovered exposing user’s IP address while making a call.
Security researcher Dhiraj Mishra discovered that in Telegram default configuration it would allow users both private and public IP address to be exposed when making a call.
The issue occurs because of the default configuration in the Telegram which uses a P2P connection to initiate a voice call. Due to this when making a call, it will show the IP address of the person you are talking with on the console log.
This default setting can be changed by:
- Select settings
- Click privacy and security
- Select Calls
- Change peer-to-peer” to other available options
This will cause your calls to be routed through Telegram’s servers and will also hide your IP address, but audio quality will be reduced.
The problem here is that desktop version of Telegram (tdesktop) and Telegram Messenger for Windows does not have the option to change P2P to other connections.
So whenever you make a call through the desktop version of Telegram both the recipient and caller IP addresses exposed to each other.
Security researcher Dhiraj Mishra was also awarded a €2,000 for bug bounty and disclosing the vulnerability to the company.
The vulnerability impacts official desktop version of Telegram for Windows, Mac, Linux and also Telegram messenger for Windows.
User are advised to update their Telegram to the latest version immediately and change settings from peer-to-peer to other available options.
You may be interested in reading:Facebook Admits using 2FA Phone Numbers for Targeted Ads