If you’re using an Android device – or, in some cases, an iPhone – the Telegram messaging app makes it easy for hackers to find your precise location when you activate a feature that allows users who are geographically close to you to connect. The researcher who discovered the disclosure vulnerability and reported it privately to Telegram’s developers said he has no plans to fix it.
The problem stems from a feature called People close. By default, it is turned off. When users enable it, their geographic distance is displayed to others who have activated it and are (or are falsifying) the same geographic region. When People close by is used as planned, it is a useful resource with little, if any, privacy concerns. After all, a notification that someone is 1 kilometer or 600 meters away still leaves pursuers guessing where, precisely, you are.
Simplified chase
Independent researcher Ahmed Hassan, however, showed how the resource can be abused to disclose exactly where you are. Using available software and a rooted Android device, he is able to fake the location that his device reports to Telegram’s servers. Using only three different locations and measuring the corresponding distance reported by people nearby, he is able to identify a user’s precise location.
Telegram allows users to create local groups within a geographic area. Hassan said scammers often falsify their location to bring down these groups and then sell investments in fake bitcoins, hacking tools, stolen social security numbers and other scams.
“Most users do not understand that they are sharing their location and perhaps their home address,” wrote Hassan in an email. “If a woman used this feature to chat with a local group, she could be chased by unwanted users.”
A proof-of-concept video that the researcher sent to Telegram showed how he could discern a Close People user’s address when he used a free GPS counterfeiting app to make his phone report only three different locations. He then drew a circle around each of the three locations with a radius of the distance reported by Telegram. The user’s exact location was where the three intersected.
Hassan asked that the video not be published. The image below, however, gives a general idea.
Ahmed Hassan
Solving the problem
In a blog post, Hassan included an email from Telegram in response to the report he had sent. He noted that People nearby are not enabled by default and that “determining the exact location is expected to be possible under certain conditions”.
Telegram representatives did not respond to an email asking for comment.
Close people pose the biggest threat to people using Android devices, as they report a user’s location with enough granularity to make Hassan’s attack work. The recently launched iOS 14, on the other hand, allows users to disclose only a rough estimate of their location. People who use this feature are not as exposed.
Solving the problem – or at least making it much more difficult to exploit it – would not be technically difficult. Rounding locations to the nearest mile and adding a few random bits is usually sufficient. When the Tinder application had a similar disclosure vulnerability, developers used this type of technique to fix it.
The privacy consequences of the resource People close to Telegram are a good reminder that resources can often be abused in ways that are not addressed by the people who develop them. Users who wish to keep their whereabouts private should be suspicious of location-based services and do research before installing or activating them.