MESSAGING APP Telegram might be famed for its strong security credentials, but its desktop app been found to contain a bug that was leaking users' IP addresses.
Dhiraj Mishra, a bug hunter from Mumbai, India, discovered the bug, which he says was causing Telegram's desktop app to leak both public and private IP addresses during voice calls to be made over a P2P (peer-to-peer) framework.
While users of Telegram's iOS and Android apps have the option of turning off P2P calls by heading to Settings > Privacy and security > Calls > Peer-To-Peer, there was no such option available for Telegram users on the desktop.
As Bleeping Computer reports, when using Peer-to-Peer (P2P) to initiate Telegram calls using the desktop app, IP address of the receiver will appear in the Telegram console logs.
The bug, CVE-2018-17780, was patched by Telegram with the releases of Telegram for Desktop v1.4.0 and v1.3.17 beta, and users can now switch off P2P by heading Settings > Privacy and security > Calls > Peer-To-Peer and setting the option to Nobody.
The company's security team also awarded the Mishra €2,000 for reporting the flaw.
"We've found and fixed the issue which our tester had. It turns out that during the sign in process, the API returned no value for the option (treated as 'everyone')," Telegram said in a statement given to Bleeping Computer.
"Then immediately after the user was signed in, the api returned the correct default value (my contacts). But it could take up to several hours for the client to refresh this configuration. So before we fixed this, the apps could display 'everyone' in the settings for an hour or two after a fresh login." µ
Buy shares in VPNs now
Yes, even the one your wrote while you were steaming drunk
Tens of people inconvenienced