If you use an Android device – or in some cases an iPhone – the Telegram messenger app makes it easy for hackers to find your exact location when you activate a feature that connects users who are geographically close to you can make. The researcher, who discovered the vulnerability of the announcement and reported it privately to Telegram developers, said they did not intend to correct it.
The problem stems from a feature called People Near. It is disabled by default. When users turn it on, their geographical distance is shown to other people who have turned it on and are (or are cheating) in the same geographic region. Used by People Near as designed, it is a useful feature with little or no privacy. A notice that someone is 1 mile or 600 feet away still makes stalkers guess where you are exactly.
Stalking made easy
However, independent researcher Ahmed Hassan has shown how the feature can be abused to reveal exactly where you are. Using easily available software and a rooted Android device, he can cheat the place where his device reports to Telegram servers. By using only three different locations and measuring the corresponding distance reported by People Near, he can determine the user’s exact location.
With Telegram, users can create local groups within a geographic area. Hassan said scammers often defraud their place to crash such groups and then make fake bitcoin investments, cap instruments, stolen social security numbers and other scams.
“Most users do not understand that they share their location and maybe their home address,” Hassan wrote in an email. “If a woman uses the feature to chat with a local group, she may be crawled by unwanted users.”
A proof of the draft video the researcher sent to Telegram showed how he can see the address of a People Near user when using a free GPS spoofing app to make his phone report just three different places. He then drew a circle around each of the three places with a radius of the distance reported by Telegram. The user’s exact location was where all three crossed.
Hassan requested that the video not be published. However, the screenshot below gives the general idea.
Ahmed Hassan
Solving the problem
In a blog post, Hassan included an email from Telegram in response to the report he sent to them. It is noted that People Near was not activated by default and that ‘it is possible under certain circumstances to determine the exact location.’
Telegram representatives did not respond to a request for comment.
People in the neighborhood pose the greatest threat to people using Android devices, as they report the location of a user with enough details to make Hassan’s attack work. The recently released iOS 14, on the other hand, allows users to reveal only a rough approximation of their location. People who use this feature are not as exposed.
Solving a problem – or at least making it much more difficult to use – would not be difficult from a technical perspective. Rounding places to the nearest mile and adding a few random pieces is usually sufficient. When the Tinder app had a similar vulnerability, developers used this technique to fix it.
The privacy implications of the People Near feature from Telegram are a good reminder that features can often be abused in ways that the people who develop them do not consider. Users who want to keep their location private should be suspicious of location-based services and research before installing or turning them on.