Researcher discovered vulnerability in Telegram, which allows to locate user

The researcher discovered a vulnerability in Telegram. The fact is that the messenger provides users with the “People Nearby” function, thanks to which it is possible to determine the location of a social network client with an accuracy of several tens of meters.

Enthusiast Ahmed Hasan posted a message about the vulnerability found on his blog.

Several years ago, he already reported a similar flaw to the Line messenger development team. The creators of the messenger paid Hassan a bonus of $ 1,000 and fixed the problem.

A few days ago, I installed Telegram, and I noticed that they have the same feature. I tried to see if I can unmask other users’ locations, and I found they have the same issue I discovered in the Line app a few years ago. I reported the problem to Telegram security, and they said it’s not an issue. If you enable the feature of making yourself visible on the map, you’re publishing your home address online. Lot of users don’t know this when they enable that feature.wrote Ahmed Hasan.

Although Telegram only shows the distance to a particular user in the list, you can determine its exact location using triangulation.

If you notice, Telegram is telling how far each person is far from me. An adversary can spoof their location for three points and use them to draw three triangulation circles.reports Ahmed Hasan.

To do this, you need to change your location twice, marking each time the distance to the user, and then draw on the map (for example, on Google maps) three circles with a centre in their coordinates and a radius equal to the found distance. The user will be at the intersection of the circles.

Let me remind you, by the way, that Researcher Earned $10,000 by Finding XSS Vulnerability in Google Maps.

At the same time, can be found only those users, who use the “People nearby” function.

Telegram told me that this is not a problem. If you are using this feature, be sure to disable it, unless you want your location to be available to everyone.said Ahmed Hasan.

It should be noted that alternative solutions in other applications for calculating the distance between users include the addition of a random number to the coordinates, which makes impossible determining the real geolocation, but in the case of Telegram, the developers decided to neglect this additional security measure.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *