Telegram users who specifically utilize the application for its anonymity features are advised to update their desktop clients as soon as possible to patch a bug that will leak their IP address in some scenarios.
The bug was found by Dhiraj Mishra, a bug hunter from Mumbai, India, and was patched by Telegram with the releases of Telegram for Desktop v1.4.0 and v1.3.17 beta.
Mishra told ZDNet that he discovered that under certain conditions, the Telegram desktop clients for Windows, Mac, and Linux would reveal users’ IP address, even when the client was configured to protect this information.
The leak, Mishra said, happened only during voice calls, and occurred even when the “Peer-to-Peer” connection type option was set to “Nobody.” This is a big deal, as this option is intended to mask the IP addresses of the two users calling each other.
Under normal circumstances, Telegram’s voice calling feature works by establishing a direct IP-to-IP (or peer-to-peer) connection between the two users, and exchanging data packets between the two directly.
A peer-to-peer connection is not private by design, as it directly exposes the two participants.
The default option for voice calls is to use a peer-to-peer connection for the users’ contacts, for performance’s sake. This means that Telegram will always leak your IP address to people you already added to your contacts list.
But since Telegram made a name for itself as an anonymous IM client, the company also added a mechanism to mask users’ IP addresses when calling each other –in the form of the “Nobody” option which tells the Telegram app to never initiate a peer-to-peer connection during voice calls.
This option is not enabled by default, but when users do enable it, they expect the privacy of their call to be honored. This is where Mishra says he discovered the bug, as he observed that users’ IP addresses would leak during voice calls with a “Nobody” option enabled.
“Not only the MTProto Mobile Protocol fails here in covering the IP address, rather such information can also be used for OSINT,” Mishra said.
This is a dangerous bug, especially for users who utilize Telegram for its privacy and anonymity feature, such as journalists, political dissidents, or human rights fighters.
In the summer of 2016, it was reported that an Iranian state-sponsored hacking group abused a vulnerability in the Telegram app to identify the telephone numbers of over 15 million Iranians who registered an account on the platform, effectively tying their Telegram usernames to their phone numbers and their real-life persona.
An IP leak can have similar privacy-busting consequences.
This is the second time an IP leak was found in the Telegram desktop client this year after a similar one was discovered and patched in late July.
Telegram awarded Mishra a reward of €2,000 for his report. The IP leak received the CVE-2018-17780 vulnerability identifier.
If users believed their Telegram voice calls were private, and are now finding out this is not the case, they can visit the “Settings > Privacy and security > Calls > Peer-to-Peer” section and set the option to Nobody to ensure their privacy is respected.