Telegram CVE-2018-17780 flaw causes the leak of IP addresses when initiating calls
1.10.2018 securityaffairs
Vulnerebility

CVE-2018-17780 – Security researcher Dhiraj Mishra discovered that Telegram default configuration would expose a user’s IP address when making a call.
Strangely tdesktop 1.3.14 and Telegram for windows (3.3.0.0 WP8.1) leaks end-user private and public IP address while making calls.

Dhiraj
@mishradhiraj_
.@telegram unsafe default behavior of P2P leaks IP address, and CVE-2018-17780 is assigned to this.https://www.inputzero.io/2018/09/bug-bounty-telegram-cve-2018-17780.html …#infosec #bugbounty

6:45 PM - Sep 29, 2018
53
31 people are talking about this
Twitter Ads info and privacy
Telegram is supposedly a secure messaging application, but it forces clients to only use P2P connection while initiating a call, however this setting can also be changed from “Settings > Privacy and security > Calls > peer-to-peer” to other available options.

The tdesktop and telegram for windows breaks this trust by leaking public/private IP address of end user and there was no such option available yet for setting “P2P > nobody” in tdesktop and telegram for windows.

PS: Even telegram for Android will also leak your IP address if you have not set “Settings > Privacy and security > Calls > peer-to-peer >nobody” (But Peer-to-Peer settings for call option already exists in Telegram for android).

To view this in action in tdesktop:

1. Open tdesktop,
2. Initiate a call to anyone,
3. You will notice the end user IP address is leaking.
cve-2018-17780 telegram

Other scenario:
1. Open tdesktop in Ubuntu and login with user A
2. Open telegram in windows phone login with user B
3. Let user B initiate the call to user A
4. While user A access log will have public/private IP address of user B.

cve-2018-17780 telegram 2

Not only the MTProto Mobile Protocol fails here in covering the IP address, rather such information can also be used for OSINT. This issue was fixed in 1.3.17 beta and v1.4.0 which have an option of setting your “P2P to Nobody/My contacts”, Later CVE-2018-17780 was assign to this vulnerability.

CVE-2018-17780 Telegram

This bug was awarded €2000 by Telegram security team. (Sweeet..)

About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj_)
Original post at https://www.inputzero.io/2018/09/bug-bounty-telegram-cve-2018-17780.html