Telegram messenger allows you to connect to people who are close to you if you have an Android phone or an iPhone. Telegram developers have not yet confirmed that the vulnerability was discovered by the researcher.
This problem is caused by a feature called People Nearby. It’s disabled by default. It allows users to show their geographical distance to others who have enabled it and are located in the same area (or are spoofing it). It’s an easy feature to use, and there are few privacy concerns if any. Even though it is not clear if someone is within a mile or 600 meters of you, stalkers can still see exactly where you are.
Simple steps to savagery
However, Ahmed Hassan, an independent researcher, has demonstrated how this feature can be used to reveal exactly where you are. He was able to use readily available software to disguise the location of his Android device to Telegram servers. He can pinpoint the exact location of a user by using three locations and measuring the distance reported to People Nearby.
Telegram allows users to create local groups in a specific area. Hassan stated that scammers use fake locations to crash these groups, then sell fake bitcoin investments, hacking software, and other scams.
Hassan sent an email explaining that most users don’t realize they share their location and possibly their home address. If a female uses that feature to chat with local groups, she could be followed by unwelcome users.”
Telegram received a proof-of-concept video that the researcher sent. It showed how he was able to identify the address of People Nearby users by using a free GPS spoofing application to have his phone report only three locations. The researcher then created a circle around the three locations, with a radius equal to the distance reported by Telegram. The exact location of the user was the intersection of all three.
Hassan requested that the video be kept private. However, the screenshot below gives an idea of the overall concept.
Hassan also included a Telegram email in a post as a response to the report that he had sent. It stated that People Nearby was not enabled by default, and that it is “expected that determining the exact location can be possible under certain conditions.”
Telegram representatives did not respond to an email requesting comment.
People Nearby is the greatest threat to Android users, as they provide enough detail to enable Hassan to attack. iOS 14 is now available and allows users to give only an approximate location. This feature is not as widely used by users.
Technically, it wouldn’t take much to fix the problem or make it harder to exploit. Adding random bits to locations and rounding them up to the nearest mile usually suffices. This was the same technique used by developers to fix a similar disclosure vulnerability in Tinder.
Telegram’s People Nearby feature’s privacy implications are a reminder that many features can be misused in ways that were not intended by their developers. If you want your location to remain private, users should be cautious about installing or turning on location-based services.