The popular messaging app Telegram can leak your IP address if you simply add a hacker to your contacts and accept a phone call from them.
Denis Simonov, a security researcher, who is also known as n0a, recently highlighted the issue and wrote a simple tool to exploit it. TechCrunch verified the researcher’s findings by adding Simonov to the contacts of a newly created Telegram account. Simonov then called the account, and shortly after provided TechCrunch with the IP address of the computer where the experiment was being carried out.
Telegram boasts 700 million users all over the world, and has always marketed itself as a “secure” and “private” messaging app, even though experts have repeatedly warned that Telegram is not as secure as end-to-end encrypted app Signal, for example.
Contact Us
Do you know of similar issues in chat apps? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase, and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.The fact that Telegram leaks your IP address to people in your contacts during a voice call has been known for years, but it’s likely that new, less technical users may not be aware.
Simonov, who works for the cybersecurity firm T.Hunter, told TechCrunch: “Telegram focuses on security and privacy, however, in order to stay safe you need to be aware of the nuances of how the messenger’s voice calls work.”
“An unprepared person can easily reveal his IP address to his interlocutor if he does not know about them,” Simonov said.
The reason Telegram leaks a user’s IP addresses during a call is that, by default, Telegram uses a peer-to-peer connection between callers “for better quality and reduced latency,” Telegram spokesperson Remi Vaughn told TechCrunch.
“The downside of this is that it necessitates that both sides know the IP address of the other (since it is a direct connection). Unlike on other messengers, calls from those who are not your contact list will be routed through Telegram’s servers to obscure that,” Vaughn said.
To avoid leaking your IP address, you have to go to Telegram’s Settings > Privacy and Security > Calls, and then select “Never” in the Peer-to-Peer menu, as shown below.
Other messaging and calling apps have been found to leak IP addresses as well. In 2017, a researcher found that WhatsApp was leaking metadata in a way that could allow hackers to find a user’s IP address. In August, 404 Media reported that hackers could reveal the IP address of someone on Skype with no interaction.
Microsoft at the time said it would fix the vulnerability. Telegram, on the other hand, clearly thinks this is just how the app should work.
Correction: a previous version of this article described Simonov as the founder of cybersecurity firm T.Hunter. He is actually an employee, not the founder.
Read more on TechCrunch: