usrnm Posted October 1, 2018 Report Share Posted October 1, 2018 Mereu am spus ca Telegram e de cacat..de fapt in afara de Signal, cam toate aplicatiile de genul asta sunt de cacat: articol complet The desktop version of the security and privacy-focused, end-to-end encrypted messaging app, Telegram, has been found leaking both users' private and public IP addresses by default during voice calls. With 200 million monthly active users as of March 2018, Telegram promotes itself as an ultra-secure instant messaging service that lets its users make end-to-end encrypted chat and voice call with other users over the Internet. Security researcher Dhiraj Mishra uncovered a vulnerability (CVE-2018-17780) in the official Desktop version of Telegram (tdesktop) for Windows, Mac, and Linux, and Telegram Messenger for Windows apps that was leaking users' IP addresses by default during voice calls due to its peer-to-peer (P2P) framework. To improve voice quality, Telegram by default uses a P2P framework for establishing a direct connection between the two users while initiating a voice call, exposing the IP addresses of the two participants. Telegram Calls Could Leak Your IP Address However, just like Telegram provides the 'Secret Chat' option for users who want their chats to be end-to-end encrypted, the company does offer an option called "Nobody," which users can enable to prevent their IP addresses from being exposed during voice calls. Enabling this feature will cause your Telegram voice calls to be routed through Telegram's servers, which will eventually decrease the audio quality of the call. However, Dhiraj found that this Nobody option is only available to mobile users, and not for Telegram for Desktop (tdesktop) and Telegram Messenger for Windows apps, revealing the location of all desktop users regardless of how careful they might be otherwise. To get an IP address of someone, all an attacker needs to do is initiate a call. As soon as the recipients pick a call, the flaw will reveal their IP address. Dhiraj reported his findings to the Telegram team, and the company patched the issue in both 1.3.17 beta and 1.4.0 versions of Telegram for Desktop by providing an option of setting your "P2P to Nobody/My Contacts." Users can enable the option by heading towards Settings → Private and Security → Voice Calls → Peer-To-Peer to Never or Nobody. Dhiraj was also awarded a €2,000 (about $2,300) bug bounty for finding and responsibly disclosing the issue to the company. Leaking of IP addresses for an app that's meant to be secured is a real concern and does serve as a reminder that you can't blindly depend on even the most secure and privacy-focused services. Quote Link to comment Share on other sites More sharing options...
