A new Telegram bug has been recently discovered which leaks the public IP addresses of the callers. It appears that the reason for this is a default configurations option which has been found to cause this behavior.
CVE-2018-17780: Serious Telegram Bug Found: Calls Leak Ip Addresses by Default
A new security report reveals that the popular Telegram messenger app contains a vulnerability. The interesting characteristic is that it is not based on bad code, but by the way the default settings are modeled. The Telegram bug by itself is caused by the voice calls feature, the default options are to carry them out through the peer-to-peer network. The analysis of this function shows that the IP address of the user initiating the call will be recorded in the Telegram console logs. This means that all client having this feature can read the IP address of their respective call partner. Interestingly not all Telegram clients have a console log.
However there is a way to fix the issue by changing the default options: The users need to navigate to the “Settings” page, opening the “Private and Security” tab, then to the “Voice Calls” section and modifying the “Peer-to-Peer” option to “Never”. This will reroute thte calls through the Telegram server which automatically hide the IP addresses and the log messages.
A proof-of-concept demonstration has already been posted to verify the issue. Following the disclosure to the Telegram security team the CVE-2018-17780 advisory has been assigned to it. The researcher that reported the vulnerability has been awarded a bug bounty of €2,000. The associated description of the bug reads the following:
Telegram Desktop (aka tdesktop) 1.3.14, and Telegram 184.108.40.206 WP8.1 on Windows, leaks end-user public and private IP addresses during a call because of an unsafe default behavior in which P2P connections are accepted from clients outside of the My Contacts list.
The Telegram bug has been fixed in the released updates with the 1.3.17beta and 1.4.0 releases for the Desktop app. They now include a setting to disable the P2P calls. A response from the development team at Telegram says that the issue was during the sign-in process. Upon receiving news of the problem they released suitable updates and have fixed the way the service handles voice call requests when the necessary options are set.