Secure Messenger app, Telegram, leaking users IP addresses. Telegram Messenger is an internet-based messaging app that sells itself as being the most secure messaging platform on the market. They came under scrutiny in May this year after it was dubbed the “terrorists messenger service of choice”. The service launched in 2013 and has more than 200 million monthly active users.
Telegram Messenger’s main selling point is security, allowing users to create encrypted chats and phone calls. However, it was revealed on Friday 29 September that a default configuration within the app allows it to leak a user’s IP address when making a call. The default setting causes the IP address of the person you are calling to appear in the console logs when Peer-to-Peer (P2P) calling. Not all versions of the app have a console log, for example researchers didn’t find the console log included in tests with Windows but did for the Linux version.
Users on mobile can disable Peer-To-Peer calling, in turn disabling the sharing of their IP address, doing this causes the user’s calls to be routed instead through Telegram’s servers, providing anonymity. The drawback of this is that users will experience a small decrease in audio quality when making calls.
The security flaw is more significant for desktop users. Security researcher Dhiraj found that the desktop Telegram app doesn’t offer the ability to disable P2P calls, meaning their IP would be leaked whenever they use Telegram to make a call. Dhirai alerted the flaw to Telegram, highlighting it was a security concern that desktop users were not able to disable P2P calling. Telegram awarded him €2000 for his efforts. Telegram also released a fix in response to the issue, and users on versions 1.3.17 and 1.4.0 can now disable P2P calls on Desktop.
As to why Telegram allowed P2P calls in the first place when they knew it could leak the IP addresses of their security conscious user base, we don’t know.