Vulnerability in Telegram revealed users’ IP addresses –

Due to an oversight of developers, desktop versions for Windows, Mac, and Linux of Telegram Messenger revealed the IP addresses of users in the process of voice calls.

Under normal circumstances, Telegram’s voice call feature, by default, establishes a direct P2P connection between two users, in which packets are exchanged directly between them. A peering connection is not confidential because it reveals the IP addresses of the participants in the process. That is, Telegram always reveals the user’s IP address to people in the contact list.

In order to ensure anonymity, Telegram engineers added a mechanism for masking IP addresses – the “Nobody” option, which prohibits initiating a peer-to-peer connection when making calls. The problem is that this function is present only in the mobile version of the messenger and does not apply to the desktop one.

The vulnerability discovered by researcher Dhiraj Mishra received the identifier CVE-2018-17780 and has already been fixed with the release of the desktop versions Telegram 1.4.0 and 1.3.17 beta, in which the developers added the “Nobody” option to the settings. For information about the vulnerability, the company paid the specialist a reward of $ 2,000.

P2P (peer-to-peer), also known as peer-to-peer, decentralized, or peer-to-peer networks, is a distributed application architecture that separates tasks between nodes (peer). Nodes have the same privileges in the application and form a network of equivalent nodes.