The Telegram instant messaging app, known for its end-to-end encryption features, was found to contain a bug that would leak users’ IP addresses. A security researcher has discovered that the Telegram desktop app leaks users’ public and private IP addresses during voice calls. Additionally, users did not have the option to turn off the feature that could make them vulnerable to cyber attacks. However, Telegram reportedly fixed the bug in its latest updates. Notably, the company’s security team awarded the researcher 2,000 euros (approximately Rs. 1,68,900) for reporting the bug in the application.
Security researcher Dhiraj Mishra reported the Telegram bug, which he said caused the desktop app’s public and private IP addresses to leak during voice calls made through a P2P (peer-to-peer) framework. While smartphone users have the option to turn off P2P calls by changing the settings to other options by going to Settings> Privacy and security> Calls> Peer-to-Peer, no such option was available for Telegram users on the desktop.
Telegram’s voice call feature works by establishing a direct P2P connection between the users, thereby directly exchanging data packets between the two. Such a connection is supposed to directly expose the IP addresses of the users. As mentioned, users of the Telegram app on mobile can choose to prevent the disclosure of their IP addresses by changing the settings on Anybody. According to Mishra, this option was missing on Telegram’s desktop client. This could lead to a potential leak of user IP addresses for all calls made from the desktop version.
Notably, the company has now solved the problem in the 1.3.17 beta and 1.4 versions of Telegram by adding the Person option in its desktop client settings. The IP address leak received the CVE-2018-17780 vulnerability identifier and as mentioned, the company rewarded Mishra for his bug report. Users can now access Settings> Privacy and security> Calls> Peer-to-Peer and set the option to Anybody.