Telegram is reputed to be one of the most secure messaging platforms out there, but a security researcher recently discovered a vulnerability in Telegram’s desktop client which leaked the IP address of users while making calls.
Dhiraj Mishra, the security expert who uncovered the flaw, spotted that the Telegram Messenger for Windows and Telegram for Desktop did not offer the tool to disable Peer-to-Peer (P2P) calls, which means the IP address of users would be left exposed whenever they make calls.
What is Peer-to-Peer Calling?
The Telegram app offers a feature called peer-to-peer calling which can be enabled or disabled by users. When the P2P feature is disabled, all calls made by users are routed through Telegram’s servers to hide the IP address, however, disabling the feature leads to a depreciation in the audio quality during the call.
What Was The Flaw?
Telegram for Desktop and the Telegram Messenger for Windows do not offer the option to disable such calls, which means the IP addresses can be intercepted by a third party. The security researcher revealed that if the P2P feature is not disabled or is absent, the Telegram server IP, the caller’s IP as well as the receiver’s IP are leaked. So, how can the vulnerability be exploited? Well, a hacker only needs to call you on Telegram’s desktop client to know your IP address.
Telegram Fixes the Flaw
The security expert reported the vulnerability to Telegram via a Proof of Concept (PoC) video and the company soon patched it by rolling out an update which introduced the option to disable the P2P settings. As a reward for finding the flaw, Mishra was awarded €2,000 as a bug bounty.