CVE-2018-17780: Telegram Bug Found to Leak IP Addresses During Calls

A new Telegram bug has been recently discovered which leaks the public IP addresses of the callers. It appears that the reason for this is a default configurations option which has been found to cause this behavior.

CVE-2018-17780: Serious Telegram Bug Found: Calls Leak Ip Addresses by Default

A new security report reveals that the popular Telegram messenger app contains a vulnerability. The interesting characteristic is that it is not based on bad code, but by the way the default settings are modeled. The Telegram bug by itself is caused by the voice calls feature, the default options are to carry them out through the peer-to-peer network. The analysis of this function shows that the IP address of the user initiating the call will be recorded in the Telegram console logs. This means that all client having this feature can read the IP address of their respective call partner. Interestingly not all Telegram clients have a console log.

However there is a way to fix the issue by changing the default options: The users need to navigate to the “Settings” page, opening the “Private and Security” tab, then to the “Voice Calls” section and modifying the “Peer-to-Peer” option to “Never”. This will reroute thte calls through the Telegram server which automatically hide the IP addresses and the log messages.

A proof-of-concept demonstration has already been posted to verify the issue. Following the disclosure to the Telegram security team the CVE-2018-17780 advisory has been assigned to it. The researcher that reported the vulnerability has been awarded a bug bounty of €2,000. The associated description of the bug reads the following:

Telegram Desktop (aka tdesktop) 1.3.14, and Telegram WP8.1 on Windows, leaks end-user (Read more…)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | authored by Martin Beltov. Read the original post at: