Software, no matter how secure, often runs the risk of being misused, hacked or used as a tool to hack other people.
Most of the time, lhackers exploit widely used and available features for malicious purposes and this is what a cybersecurity researcher recently demonstrated with the encrypted application of Telegram.
For those who are still unaware of Telegram, they should know that eIt's a messaging app for Android and iOS that allows secure communication. The application protects calls and exchanges of messages, photos, videos and documents using what is called "end-to-end encryption."
Even though the application is not completely safe as you might think and this is because the application Telegram makes it easy for hackers to find the exact location of an Android device and activates a feature that allows users who are geographically close to connect.
The vulnerability also exists on some iPhones and the researcher, who discovered the location disclosure vulnerability and responsibly reported it to Telegram developers, said the developers did not intend to fix it.
The problem is due to a function called "Close People" that by default, it is disabled and when users enable it, their geographical distance is shown to other people who enabled it and who are in the same geographical region (or who are falsifying their location).
When the "Close People" option is used as intended, it is a useful feature that raises little or no privacy concerns. However, a notification that someone is 1 kilometer or 600 meters away still leaves stalkers guessing exactly where you are.
Fortunately, people need to enable this feature because it is automatically disabled after upgrade. Therefore, not everyone is susceptible, however, there is a problem, as not all users know that by activating "Nearby People", they are sharing their location or even their personal address.
Below is the response from Telegram developers, when independent researcher Ahmed Hassan sent them proof of the vulnerability in the form of a video report:
"Thank you for contacting us. Users in the "Nearby People" section intentionally share their location, and this feature is disabled by default. It is expected that it will be possible to determine the exact location under certain conditions. Unfortunately, this case is not covered by our bug bounty program. ”
Hassan says he won a bonus when you discovered such vulnerability in the Line messaging application, which also has the same function «Close people». In this first case, the developers fixed the problem.
Using easily accessible software, Hassan was able to send Telegram's servers to three fake locations around of the approximate location of the target, from a "rooted" Android phone.
By doing so, he was able to improve the target's location accuracy by reducing the radius of its geographic location. Therefore, by measuring the corresponding distance reported by nearby people, it is able to identify the location of a user.
But it seems the app location sharing issues don't end with the feature alone.
Telegram also gives users the ability to create local groups using geographic locations, like a community group in a specific suburb, for example. These groups are also particularly vulnerable to hackers, according to the researcher. Anyone with sufficient knowledge of the function will be able to spoof the location, decipher these groups.
"Most users do not understand that they are sharing their location and perhaps their home address," Hassan wrote in an emailed statement. «If a woman uses this feature to chat with a local group, she may be harassed by unwanted users«.
The demonstration video that the researcher sent to Telegram showed how he could discern the address of a user from the "Nearby People" function when you used a free GPS Location Spoofer app to report on just three different locations.
He then drew a circle around each of the three locations with a radius of the distance reported by Telegram and where the user's precise position was where the three circles intersected.