Telegram desktop app leaked IP addresses in calls – Patch released
Instant messaging app Telegram has released a fix that caused the messaging app to expose users’ IP addresses during voice calls.
Dhiraj Mishra, a security researcher, discovered a vulnerability (CVE-2018-17780) in the official Desktop version of Telegram (tdesktop) for Windows, Mac, Linux, and Telegram Messenger for Windows apps that exposed and recorded the IP address of a user by default while taking a call due to its peer-to-peer (P2P) framework.
The app leaked both public and private IP addresses during voice calls. Although users can disable P2P calls option in iOS and Android, they do not have an option to turn off the feature in the desktop client of the app and its Windows application.
Users can change settings to disable the visibility of their IP address. “Telegram is supposedly a secure messaging application, but it forces clients to only use P2P connection while initiating a call, however this setting can also be changed from “Settings > Privacy and security > Calls > peer-to-peer” to other available options,” Mishra said.
“The tdesktop and telegram for windows breaks this trust by leaking public/private IP address of end user and there was no such option available yet for setting “P2P > nobody” in tdesktop and Telegram for Windows.”
Dhiraj reported the issue to Telegram along with a proof of concept video and got €2,000 as a bug bounty reward. The company promptly issued a fix for the issue in v1.3.17 beta and v1.4.0 of Telegram for desktop to disable the P2P settings.