Posted on January 7, 2021 at 6:11 PM
The Telegram messenger app is very popular in the world, with over 400 million monthly users. However, the messages shared over the app are not saved on the company’s server, which means users can decide to completely delete their messages after some time.
It uses an end-to-end encryption method, making it a sophisticated messaging app for users. But even with this level of sophistication, there could be vulnerability when certain features are enabled in the app.
The feature enables threat actors to locate users’ exact location to launch a cyberattack or other phishing attacks. This is especially a concern for many stay-at-home orders.
A cybersecurity researcher recently showed how the Telegram feature could open the doors for hackers to pinpoint where a target is located.
Users who activate the geographical location feature through their android device are at risk of allowing other threat actors to known their physical address. The vulnerability has also been seen on some iPhones.
The researcher, who found out about the vulnerability, said he has disclosed his findings to Telegram developers, but they are not in a hurry to fix it.
The vulnerability is coming from a feature known as “People Nearby,” which is disabled by default.
But when it is activated, their geographical location will be visible to other users who have activated the same feature on their phone and are within the same location.
That means anyone within the same location or who spoofs their location can locate users who have activated the feature.
Most users are not aware of the app’s capabilities
The original intention of the app developers is not to pose any privacy concerns. But stalkers can take advantage of the feature since they can guess exactly where a user is located if the app is activated and are staying within the same geographical location. Others have even expressed concerns that it could aid bad actors to track and locate their victims.
Although this feature is not active by default, not everyone is aware that they are sharing their location with other people when they activate the feature. That’s where the problem lies for many.
When independent researcher Ahmad Hassan contacted Telegram with the information, the response from the company shows it doesn’t have any intention to provide a solution.
“Users in the “People Nearby” section intentionally share their location, and this feature is turned off by default,” Telegram stated, adding that its bug bounty program doesn’t cover the particular case.
Hassan said he was awarded a bonus after discovering a similar feature in the Line messaging application with the same “People nearby” feature. In that case, he said the developers of the app provided a solution. He wonders why Telegram is adamant in this case, knowing how the feature could infringe on users’ privacy.
The app allows hackers to pinpoint users’ exact location
Hassan used easily accessible software to send Telegram’s servers to three false locations around the target’s estimated location. He searched the location using a root android phone.
This action added more accuracy to the target’s location. As a result, Hassan was able to tell exactly the location of the user by measuring the corresponding distance shown by the “People Nearby” feature.
However, it appears that there are other issues the app’s location-sharing feature may cause. Users are also allowed to set up local groups using geographical locations.
The researcher said the groups could be vulnerable to threat actors since anyone who understands the function can spoof their location carry out several scams on the group.
The worst part is the fact that many of the users may not understand that they are probably sharing revealing their home address to unknown persons. For instance, unwanted users can stalk a woman who has used the feature to chat with a local group.
The “People nearby” feature has been seen as a big problem, especially as many users are not aware of how it can be used. Users with more technical ability can even do much more than guessing a user’s location, as they can pinpoint exactly the user’s address.
The “People nearby” feature is a perfect example of a privacy violation situation in which the developers may not even realize. The researcher has advised users to stay protected by turning off any location sharing feature for any app not in use.