Telegram fixes IP address leak in desktop client

Telegram team forgot to add privacy-enhancing option for voice calls in desktop clients.

Telegram users who specifically utilize the application for its anonymity features are advised to update their desktop clients as soon as possible to patch a bug that will leak their IP address in some scenarios.

The bug was found by Dhiraj Mishra, a bug hunter from Mumbai, India, and was patched by Telegram with the releases of Telegram for Desktop v1.4.0 and v1.3.17 beta.

Mishra told ZDNet that he discovered that the Telegram desktop clients for Windows, Mac, and Linux would reveal users' IP addresses. The leak, Mishra said, happened only during voice calls.

Also: Cyber security: Your boss doesn't care and that's not OK

Under normal circumstances, Telegram's voice calling feature works by establishing a direct IP-to-IP (or peer-to-peer) connection between the two users, and exchanging data packets between the two directly.

telegram-ip-leak.png
Image: Dhiraj Mishra

A peer-to-peer connection is not private by design, as it directly exposes the IP addresses of the two participants.

The default option for voice calls is to use a peer-to-peer connection for all a users' contacts, for performance's sake. This means that Telegram will always leak your IP address to people you already added to your contacts list.

Also: California governor signs country's first IoT security law CNET

But since Telegram made a name for itself by running an anonymous instant messaging client, the company also added a mechanism to mask users' IP addresses when calling each other --in the form of the "Nobody" option which tells the Telegram app to never initiate a peer-to-peer connection during voice calls.

Mishra said this option was only present in the mobile app and not Telegram's desktop client, meaning all calls initiated from the desktop version would leak users' IPs.

Also: How to install and use the PassFF Firefox password manager TechRepublic

This is a dangerous bug, especially for users who utilize Telegram for its privacy and anonymity feature, such as journalists, political dissidents, or human rights fighters.

In the summer of 2016, it was reported that an Iranian state-sponsored hacking group abused a vulnerability in the Telegram app to identify the telephone numbers of over 15 million Iranians who registered an account on the platform, effectively tying their Telegram usernames to their phone numbers and their real-life persona.

An IP leak can have similar privacy-busting consequences.

This is the second time an IP leak was found in the Telegram desktop client this year after a similar one was discovered and patched in late July.

Telegram fixed the issue by adding the Nobody option in its desktop client settings and awarded Mishra a reward of €2,000 for his report. The IP leak received the CVE-2018-17780 vulnerability identifier.

Users can visit the " Settings > Privacy and security > Calls > Peer-to-Peer" section and set the option to Nobody to ensure their privacy is respected.

Article updated with clarification from Telegram devs regarding Nobody option.

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

FBI solves mystery surrounding 15-year-old Fruitfly Mac malware

Fruitfly malware author used port scanning with weak or no passwords to identify potential victims.

Meet Torii, a new IoT botnet far more sophisticated than Mirai variants

The evolving IoT botnet is able to compromise an impressive array of architectures.

Teenage Apple hacker avoids jail for 'hacky hack hack' attack

The self-proclaimed Apple fan stole roughly 90GB of confidential data from the iPad and iPhone maker.

Related stories: