The desktop version of the security and privacy-focused, end-to-end encrypted messaging app, Telegram, has been found leaking both users’ private and public IP addresses by default during voice calls.
With 200 million monthly active users as of March 2018, Telegram promotes itself as an ultra-secure instant messaging service that lets its users make end-to-end encrypted chat and voice call with other users over the Internet.
Security researcher Dhiraj Mishra uncovered a vulnerability (CVE-2018-17780) in the official Desktop version of Telegram (tdesktop) for Windows, Mac, and Linux, and Telegram Messenger for Windows apps that was leaking users’ IP addresses by default during voice calls due to its peer-to-peer (P2P) framework.
To improve voice quality, Telegram by default uses a P2P framework for establishing a direct connection between the two users while initiating a voice call, exposing the IP addresses of the two participants.
images from Hacker News