It would seem that the instant messaging app Telegram isn’t as secure as we thought. Security expert Denis Simonov has created a tool that allows him to easily find out the IP address of any of his contacts. For an app that says it’s focused on security, this isn’t exactly a good advertisement.
The key to revealing the IP address is that the person must be in the contact list. In addition, the targeted person must also answer an audio call. Simonov first wrote about the discovery of the flaw at the end of June, and recently gave a presentation to TechCrunch.
Telegram is without a doubt one of the favorite instant messaging apps. The cloud application has 700 million users that it pulled in its fold under the promise of speed and security. Criticism that Telegram is not as secure as its competitor – Signal has not discouraged users from using it.
Telegram is an instant messaging application created by Pavel and Nikolai Durov. Released in 2013, the application is available on all platforms: iOS, Android, web version, Windows… Users can send text messages, multimedia files, audio messages, or stickers. They can also send GIFs, and images without compression, which enables transfer without loss of quality. The application allows audio and video conversations, creation of channels, bots, and an API that allows you to create your own versions of the Telegram application.
Security experts believe that the app is not completely secure, especially when compared to some of its competitors, such as Signal.
Why the IP address is shared with Telegram
Sharing the IP address during audio conversations is old news, but not all users may be aware of the flaw. For better sound quality and lower latency, Telegram uses peer-to-peer connection between the people engaged in the communication; this is where one can find out the IP address. The method does improve the audio quality, but isn’t the cost too high to pay?
“Telegram focuses on security and privacy, however, in order to stay safe you need to be aware of the nuances of how the messenger’s voice calls work”
“An unprepared person can easily reveal his IP address to his interlocutor if he does not know about them,” Simonov said.
Interestingly, users can turn off this IP address sharing. The option is located in Settings > Privacy and Security > Calls. From here the user can select “Always”, “My Contacts” or “Never”. The application warns users with a message that after the change, the quality of audio and video calls will be worse. For an app that prides itself on privacy and security, we would think that it might be a better choice to not enable IP address sharing and let the user choose this functionality themselves.
How can one person reveal the address of another
Simonov managed to create a script that can reveal the IP address from Telegram. For this it uses the desktop version of the application and traffic analysis tools like Wireshark through which it detects STUN traffic.
XOR-MAPPED-ADDRESS is one of STUN’s attributes. This is an attribute that contains the address of the sender of the message. For incoming calls the attribute contains the address of the user, and for outgoing calls the attribute contains the address of the interlocutor.
To make his job easier, Dennis wrote a Python script that automates IP address retrieval.