A security researcher has created a tool that allows someone to find out the IP address of a Telegram contact just by calling them.
Denis Simonov, a security researcher, who is also known as n0a, recently highlighted the issue and wrote a simple tool to exploit it. TechCrunch verified the researcher’s findings by adding Simonov to the contacts of a newly created Telegram account. Simonov then called the account, and shortly after provided TechCrunch with the IP address of the computer where the experiment was being carried out.
Telegram boasts 700 million users all over the world, and has always marketed itself as a “secure” and “private” messaging app, even though experts have repeatedly warned that Telegram is not as secure as end-to-end encrypted app Signal, for example.
The reason Telegram leaks a user’s IP addresses during a call is that, by default, Telegram uses a peer-to-peer connection between callers “for better quality and reduced latency,” Telegram spokesperson Remi Vaughn told TechCrunch.
“The downside of this is that it necessitates that both sides know the IP address of the other (since it is a direct connection). Unlike on other messengers, calls from those who are not your contact list will be routed through Telegram’s servers to obscure that,” Vaughn said.
To avoid leaking your IP address, you have to go to Telegram’s Settings > Privacy and Security > Calls, and then select “Never” in the Peer-to-Peer menu, as shown below.
Personal Take: I don’t necessarily believe this is a maliciously integrated feature. There seems to be a legitimate reason it’s P2P by default. However, similar to lack of E2EE by default, this is just one more step users have to take to make Telegram a decent option for users needing more safety, versus messengers like Signal take care of much of this already.