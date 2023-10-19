A security researcher has discovered that the popular messaging app, Telegram, can leak users’ IP addresses if they accept a phone call from a hacker who has been added to their contacts. This issue has been known for years, but many less technical users may not be aware of the privacy vulnerability.

The researcher, Denis Simonov, highlighted this issue and created a tool to exploit it. TechCrunch verified the findings adding Simonov to a newly created Telegram account, and after receiving a call from him, TechCrunch was provided with the IP address of the computer in which the experiment was conducted.

Telegram, with over 700 million users worldwide, has always marketed itself as a secure and private messaging app. However, experts have repeatedly warned that Telegram is not as secure as other end-to-end encrypted apps like Signal.

The reason Telegram leaks users’ IP addresses during calls is due to its default use of peer-to-peer connections to improve call quality and reduce latency. This means that both parties involved in the call need to know each other’s IP addresses since it is a direct connection. Calls from individuals not on a user’s contact list are routed through Telegram’s servers to obfuscate IP addresses.

To prevent IP address leaks, users can go to Telegram’s Settings > Privacy and Security > Calls and select “Never” in the Peer-to-Peer menu option.

It is worth noting that other messaging and calling apps have also been found to leak IP addresses, such as WhatsApp and Skype. WhatsApp was found to leak metadata that could expose a user’s IP address, while hackers could reveal someone’s IP address on Skype without any interaction. While Microsoft addressed the vulnerability in Skype, Telegram does not see this issue as a flaw and considers it a normal function of the app.

