[ad_1]
If you’re using an Android device or in some cases an iPhone, the Telegram messaging app makes it easy for hackers to find your exact location when you activate a feature that allows users who are geographically close to you to connect. The researcher who discovered the disclosure vulnerability and privately reported it to the developers at Telegram said he had no plans to fix it.
The problem stems from a feature called People Nearby. By default, it is disabled. When users enable it, their geographic distance is displayed to other people who enabled it and who are in (or are spoofing) the same geographic region. When People Nearby is used as intended, this is a useful feature with little to no privacy concerns. After all, a notification that someone is 1 kilometer or 600 meters away always leaves stalkers guessing exactly where you are.
Tracking made easy
Independent researcher Ahmed Hassan, however, has shown how the feature can be abused to disclose exactly where you are. Using readily available software and a rooted Android device, he is able to spoof the location that his device reports to Telegram servers. By using just three different locations and measuring the corresponding distance reported by people nearby, it is able to pinpoint a user’s location.
Telegram allows users to create local groups within a geographic area. Hassan said crooks often spoof their location to plant such groups and then peddle bogus bitcoin investments, hacking tools, stolen social security numbers and other scams.
“Most users don’t understand that they are sharing their location, and maybe their home address,” Hassan wrote in an email. “If a woman uses this feature to chat with a local group, she may be harassed by unwanted users.”
A proof of concept video the researcher sent to Telegram showed how he could discern a user’s address from people nearby when he used a free GPS spoofing app to report his phone to just three locations different. He then drew a circle around each of the three locations with a radius of the distance reported by Telegram. The user’s precise location was where the three intersected.
Hassan demanded that the video not be released. The screenshot below gives a general idea, however.
Ahmed Hassan
Solve the problem
In a blog post, Hassan included an email from Telegram in response to the report he sent them. He noted that people nearby are not enabled by default and that “it is intended that determining the exact location will be possible under certain conditions.”
Telegram representatives did not respond to an email requesting comment.
People nearby pose the biggest threat to people using Android devices, as they report a user’s location with enough granularity for Hassan’s attack to work. The recently released iOS 14, on the other hand, allows users to disclose only a rough approximation of their location. People who use this feature are not as exposed.
Solving the problem – or at least making it much more difficult to operate – wouldn’t be technically difficult. Rounding the locations to the nearest mile and adding random bits is usually sufficient. When the Tinder app had a similar disclosure vulnerability, the developers used this kind of technique to fix it.
The privacy implications of the People Near Telegram feature are a good reminder that features can often be abused in ways that are not intended by the people who develop them. Users who wish to keep their location private should be wary of location-based services and conduct research before installing or activating them.
[ad_2]
Source link