The secure messaging app Telegram inadvertently leaked its desktop users’ personal information. The breach was caused by a bug in the desktop version of the Telegram app (126.96.36.199 WP8.1 for Windows). The flaw leaked users’ IP addresses during voice calls.
In other words, the flaw leaves users attempting to make a voice call through the Telegram web app vulnerable to cyberattacks. The bug was discovered by a security researcher named Dhiraj Mishra.
According to Mishra, Telegram uses Peer-to-Peer framework to establish a direct connection between two users during a voice call. But the web app flaw exposed the IP addresses of both participants.
The researcher also discovered that Telegram users do not have the provision of turning off the feature, thus increasing their odds of falling victim to a cyberattack.
“Telegram is supposedly a secure messaging application, but it forces clients to only use P2P connection while initiating a call, however, this setting can also be changed from "Settings > Privacy and security > Calls > peer-to-peer" to other available options. The desktop and telegram for windows break this trust by leaking public/private IP address of end user and there was no such option available yet for setting "P2P > nobody" in tdesktop and telegram for windows,”Mishra said in a blog post.
Fortunately, Telegram fixed the bug in one of its latest security updates. The issue has been patched in 1.3.17 beta and 1.4.0 versions of Telegram for Desktop. The new versions will now be offering the ‘Nobody’ feature to allow users to switch from the buggy P2P feature.