If you’re using an Android device, or in some cases an iPhone, the Telegram messenger app makes it easy for hackers to find your exact location when you enable a feature that allows users who are geographically close to you to connect. . The researcher who discovered the vulnerability of the disclosure and privately reported it to the Telegram developers said they have no plans to fix it.
The problem stems from a feature called People Nearby. It is disabled by default. When users enable it, their geographic distance is shown to other people who have it enabled and who are in (or spoof) the same geographic region. When People Nearby is used as designed, it’s a useful feature with little or no privacy concerns. After all, a report that someone is 1 kilometer or 600 meters away allows stalkers to guess exactly where you are.
Stalking made easy
However, independent researcher Ahmed Hassan has shown how the feature can be abused to reveal exactly where you are. Using readily available software and a rooted Android device, he can fake the location his device reports to the Telegram servers. By using only three different locations and measuring the corresponding distance reported by People Nearby, he can determine the exact location of a user.
Telegram allows users to create local groups within a geographic area. Hassan said scammers often fake their location to crash such groups and then sell fake bitcoin investments, hacking tools, stolen social security numbers and other scams.
“Most users don’t understand that they are sharing their location and maybe their home address,” Hassan wrote in an email. “If a woman uses that feature to chat with a local group, she could be stalked by unwanted users.”
A proof-of-concept video the researcher sent to Telegram showed how he could tell the address of a People Near user when he used a free GPS spoofing app to make his phone report only three different locations. He then drew a circle around each of the three locations with a radius of the distance reported by Telegram. The user’s precise location was where all three intersect.
Hassan asked not to publish the video. However, the screenshot below gives the general idea.
To solve the problem
In a blog post, Hassan added an email from Telegram in response to the report he sent them. It noted that People Nearby are not enabled by default and that “the exact location can be expected under certain conditions.”
Telegram representatives did not respond to an email asking for comment.
Nearby people pose the biggest threat to people using Android devices, as they report a user’s location with enough granularity to make Hassans’ attack work. With the recently released iOS 14, on the other hand, users can only provide a rough estimate of their location. People who use this feature are not so exposed.
Solving the problem – or at least making it much more difficult to exploit – wouldn’t be technically difficult. Rounding locations to the nearest mile and adding some random bits is generally enough. When the Tinder app had a similar disclosure vulnerability, developers used this kind of technique to fix it.
The privacy implications of the People Near Telegram feature are a good reminder that features can often be abused in ways not considered by the people developing them. Users who want to keep their whereabouts private should be wary of location-based services and do research before installing or enabling them.