Strangely tdesktop 1.3.14 and Telegram for windows (3.3.0.0 WP8.1) leaks end-user private and public IP address while making calls.
.@telegram unsafe default behavior of P2P leaks IP address, and CVE-2018-17780 is assigned to this.https://t.co/V61JurNTgs#infosec #bugbounty
— Dhiraj (@RandomDhiraj) September 29, 2018
Telegram is supposedly a secure messaging application, but it forces clients to only use P2P connection while initiating a call, however this setting can also be changed from “Settings > Privacy and security > Calls > peer-to-peer” to other available options.
The tdesktop and telegram for windows breaks this trust by leaking public/private IP address of end user and there was no such option available yet for setting “P2P > nobody” in tdesktop and telegram for windows.
PS: Even telegram for Android will also leak your IP address if you have not set “Settings > Privacy and security > Calls > peer-to-peer >nobody” (But Peer-to-Peer settings for call option already exists in Telegram for android).
To view this in action in tdesktop:
2. Open telegram in windows phone login with user B
3. Let user B initiate the call to user A
4. While user A access log will have public/private IP address of user B.
Not only the MTProto Mobile Protocol fails here in covering the IP address, rather such information can also be used for OSINT. This issue was fixed in 1.3.17 beta and v1.4.0 which have an option of setting your “P2P to Nobody/My contacts”, Later CVE-2018-17780 was assign to this vulnerability.
This bug was awarded €2000 by Telegram security team. (Sweeet..)
Original post at https://www.inputzero.io/2018/09/bug-bounty-telegram-cve-2018-17780.html
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Telegram CVE-2018-17780 flaw, data leak)
[adrotate banner=”5″]
[adrotate banner=”13″]