Telegram is currently my favourite messaging app and it is one of those apps that I use daily. Over the past 5 years, they have piled on features over time and one of the features has been the ability to make phone calls through the app.
Over the weekend, a security researcher, Dhiraj Mishra, found a concerning bug on Telegram for Windows (18.104.22.168 WP8.1) and Telegram for Desktop (ver 1.3.14), which leaked user private and public IP addresses while making calls.
“Telegram is supposedly a secure messaging application, but it forces clients to only use P2P connection while initiating a call,” he says in the blog post. “However this setting can also be changed from Settings > Privacy and Security > Calls > Peer-to-peer to other available options.”
Apparently both the desktop and windows apps (yes they are two versions for PC) break this trust by leaking these public/private IP address of the end user and there was not such option yet for setting your Booty setting to ‘nobody’ in the apps.
This is obviously concerning since this kind of a bug could expose you to attacks or even disclose your location to unscrupulous individuals, which is very bad for unsuspecting users on Telegram.
Thankfully, Telegram Messenger has fixed this issue with both the 1.3.17 beta and 1.4 versions of Telegram so you should update your app right away. This new update gives you the option to disable the peer to peer calling entirely or limit it to your contacts. Thanks to his efforts, Dhiraj Mishra said that he was given €2,000 for his find.