Telegram is the messaging platform of choice for millions around the world. A big part of its appeal has been the privacy features that it has to offer, but is it really as secure as users think? A new report looks to how the service's People Nearby feature can be exploited to reveal the location of other users without much difficulty.
If you're unaware of People Nearby, the feature allows Telegram users to initiate conversations with people or join local groups in their vicinity. Apart from showing their name and display picture, it also reveals how far away these people are. As it turns out, showing that precise measurement is exactly what makes the feature vulnerable to be misused.
To attain the exact location of a user making use of People Nearby, an adversary has to spoof three sets of coordinates (using an app like Fake GPS location or even by simply walking around) within a 7-mile radius of the target and note how far the user is from these three locations.
Using a fake GPS signal to gather distance data.
Once the distances are noted, the adversary can then use Google Earth Pro to enter those 3 location coordinates and draw circles around them, with each radius matching one of the distance readings. The intersection of the three circles will reveal the location of the user.
Overlapping circles reveal the user's location.
While it's difficult to say how much this vulnerability has already been exploited, it's easy to guess how this could be used by scammers or other adversaries to their advantage. Similar features from other companies have addressed this issue by adding a random number to the distance shown, making triangulation efforts futile. It remains to be seen if Telegram will issue a similar fix on its own — we'll update this post if we hear more.
- Ahmed's Notes