Telegram is still leaking user IP addresses to contacts | TechCrunch

Henry · October 20, 2023, 5:51pm

A security researcher has created a tool that allows someone to find out the IP address of a Telegram contact just by calling them.

Denis Simonov, a security researcher, who is also known as n0a, recently highlighted the issue and wrote a simple tool to exploit it. TechCrunch verified the researcher’s findings by adding Simonov to the contacts of a newly created Telegram account. Simonov then called the account, and shortly after provided TechCrunch with the IP address of the computer where the experiment was being carried out.

Telegram boasts 700 million users all over the world, and has always marketed itself as a “secure” and “private” messaging app, even though experts have repeatedly warned that Telegram is not as secure as end-to-end encrypted app Signal, for example.

The reason Telegram leaks a user’s IP addresses during a call is that, by default, Telegram uses a peer-to-peer connection between callers “for better quality and reduced latency,” Telegram spokesperson Remi Vaughn told TechCrunch.

“The downside of this is that it necessitates that both sides know the IP address of the other (since it is a direct connection). Unlike on other messengers, calls from those who are not your contact list will be routed through Telegram’s servers to obscure that,” Vaughn said.

To avoid leaking your IP address, you have to go to Telegram’s Settings > Privacy and Security > Calls, and then select “Never” in the Peer-to-Peer menu, as shown below.

Personal Take: I don’t necessarily believe this is a maliciously integrated feature. There seems to be a legitimate reason it’s P2P by default. However, similar to lack of E2EE by default, this is just one more step users have to take to make Telegram a decent option for users needing more safety, versus messengers like Signal take care of much of this already.

Tech-Trooper · October 21, 2023, 9:53am

Telegram can also leak your plain text messages to Putin, so I won’t be surprised.

alula · October 22, 2023, 8:18pm

IIRC Signal calls use P2P by default too? As long as you talk to people you know personally, I believe it is the better option.
Admittedly, IP leak is not as big of a concern on Signal since people are unlikely to share their phone number with someone who they don’t already trust, but once Signal gets usernames that might change.
Wish both Signal and Telegram would prompt about this option before starting any calls to let people fit it to their use case.

mydarkstar · October 23, 2023, 12:26am

Yes, Signal indeed has the exact same default as Telegram.
Other messengers, such as WhatsApp, Skype, etc. also always use peer-to-peer calling.

I find the headline of the linked article very misleading, as this is not a “Telegram problem” at all!

You can find the setting to proxy calls via Signal servers under Settings → Privacy → Advanced:

For Telegram, you can set who you want to use P2P with in Settings → Privacy & Security → Calls.
By default, only people you explicitly add to your contacts can call you via P2P.
Everyone else will see their calls proxied via Telegram servers.

[ Second screenshot I was not allowed to attach ]

Since both messengers use end-to-end encryption for calls, relaying them via the servers does not reveal the contents of the call to the messenger.

However, it may also be a good idea to always relay calls, if you live in an oppressive region that surveils connections and you don’t use a VPN. There have been previous reports, that extended WhatsApp calls to other regions were seen as suspicious by authorities. That is because P2P calls create a consistent connection to the region of your recipient for the duration of your call.

What Jeewani’s deporting indicates is that Indian security agencies seem to be using this metadata from platforms such as WhatsApp for mass surveillance. “The establishment has been building the CMS [Central Monitoring System] since the Mumbai attacks [of 2008],” cyber security researcher Srinivas Kodali told Scroll. “It gives the security establishment access to a lot of traffic. With [messaging platforms] WhatsApp and Signal, they have been tracking peer-to-peer contact. They don’t know what you are talking but that this talk is happening.”

Kodali added, “They [agencies] are monitoring traffic continuously and getting alerts.”

I find this a much more relevant problem that people should definitely know about!

Conclusion:
If you’re a) trying to keep your call secret or b) don’t trust your callee, use a VPN or enable call relaying in your messenger of choice.

Henry · October 26, 2023, 8:04pm

Thanks for elaborating on this with Signal!

Jonah · October 27, 2023, 3:24am

I remember when this was a big story with Skype like… 10 years ago, and nothing has changed lol