Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Privacy Security

Telegram Feature Exposes Your Precise Address To Hackers (arstechnica.com) 45

Posted by BeauHD from the stalking-made-simple dept.
Telegram has no plans to fix a vulnerability that makes it easy for hackers to find your precise location. The problem stems from a feature called People Nearby, which is disabled by default, but allows users who are geographically close to you to connect. Ars Technica reports: Independent researcher Ahmed Hassan, however, has shown how the feature can be abused to divulge exactly where you are. Using readily available software and a rooted Android device, he's able to spoof the location his device reports to Telegram servers. By using just three different locations and measuring the corresponding distance reported by People Nearby, he is able to pinpoint a user's precise location. Telegram lets users create local groups within a geographical area. Hassan said that scammers often spoof their location to crash such groups and then peddle fake bitcoin investments, hacking tools, stolen social security numbers, and other scams.

Telegram lets users create local groups within a geographical area. Hassan said that scammers often spoof their location to crash such groups and then peddle fake bitcoin investments, hacking tools, stolen social security numbers, and other scams. A proof-of-concept video the researcher sent to Telegram showed how he could discern the address of a People Nearby user when he used a free GPS spoofing app to make his phone report just three different locations. He then drew a circle around each of the three locations with a radius of the distance reported by Telegram. The user's precise location was where all three intersected.

In a blog post, Hassan included an email from Telegram in response to the report he had sent them. It noted that People Nearby isn't enabled by default and that "it's expected that determining the exact location is possible under certain conditions." People Nearby poses the biggest threat to people using Android devices, since they report a user's location with enough granularity to make Hassan's attack work. The recently released iOS 14, by contrast, allows users to divulge only a rough approximation of their location. People who use this feature aren't as exposed. Fixing the problem -- or at least making it much harder to exploit it -- wouldn't be hard from a technical perspective. Rounding locations to the nearest mile and adding some random bits generally suffices. When the Tinder app had a similar disclosure vulnerability, developers used this kind of technique to fix it.
This discussion has been archived. No new comments can be posted.

Telegram Feature Exposes Your Precise Address To Hackers More

Telegram Feature Exposes Your Precise Address To Hackers

Comments Filter:

  • good old triangulation (Score:5, Insightful)

    by Anonymouse Cowtard ( 6211666 ) on Wednesday January 06, 2021 @03:19AM (#60902144) Homepage
    Product works as designed, no need to "fix" it

  • Easy fix... (Score:3, Interesting)

    by BurningSpiral ( 413606 ) on Wednesday January 06, 2021 @03:20AM (#60902146) Homepage
    I wonder why telegram isn't willing to add a location rounding function. They could start with rounding to the nearest mile and randomizing the last few digits of the GPS location. Then reuse the exact same randomized locations everytime any user (with location sharing enabled) is near a previously used random location. Then add 2,3, and 5 mile rounding to protect users who live in rural locations (eg.10,000 acre farms)

    • Re: (Score:1)

      by mr5oh ( 1050964 )
      So I reluctantly use Telegram for a few things, however. My phone's location is never on unless I'm actively using the GPS. Telegram does not have access to my location, contacts, camera, microphone, etc. It's also not allowed to have background data, or run in the background. There is no need for apps to have all the permissions they have, nor be running all the time. I don't subscribe to the theory of unused RAM is wasted RAM. As while it maybe "wasted", those programs will inevitably be a security issue

    • Even easier fix: consider the implication of using a feature, and don't enable it unless you know what you're doing.

    • This still allows for narrowing a person's location to a region, and then the triangulation can be repeated inside the region to further narrow it down. This can be automated fairly easily as well. The real fix would be to disable nearby features by default, and require users to opt in, warning them other users may be able to determine their location.
      • Actually, it is possible to simply hide distances to another user if they are far away. Then random guessing is needed to try and find them. If the range needed to show distance is small enough this can potentially slow the process down dramatically.
      • Comment removed based on user account deletion
  • Like, they already admitted their "encryption" is bunk and the Russian government has everything. Why should they care about security issues either, at this point none of their userbase is smart enough to.
    • Where did they "admit" such a thing, and where's the proof?

    • Telegram uses no end-to-end encryption by default.

      Last time I checked, you had to go into a special mode first. And that only worked if both sides were online. Meaning Telegram currently having an incoming port open. So, in practice, never. In there, it didn't keep a history, and messaging would not work if the other person wasn't online.
      So painfully useless. Because the dev hasn't figured out how to safely keep a history and safely use a push server.

      AFAIK, Moxie is the only one who figured out encrypted gr

    • Telegram has precisely jackshit to do with the Russian government, but nice try to spread FUD.

  • Whatever... (Score:4)

    by sizzlinkitty ( 1199479 ) on Wednesday January 06, 2021 @04:10AM (#60902216)

    Must be a slow news day. In general, this is a very minor privacy issue compared to the other number of things slurping down everything on your mobile phone. This is a opt in privacy leak, let it be....

  • Helpful if I visit a fest or concert and want to connect to similar people Will it work with same accuractif they round off the location?

  • ...Telegram lets users create local groups within a geographical area. Hassan said that scammers often spoof their location to crash such groups and then peddle fake bitcoin investments, hacking tools, stolen social security numbers, and other scams.

    Telegram lets users create local groups within a geographical area. Hassan said that scammers often spoof their location to crash such groups and then peddle fake bitcoin investments, hacking tools, stolen social security numbers, and other scams. ...

  • Location feature exposes your location! *SHOCK* (Score:4, Insightful)

    by 278MorkandMindy ( 922498 ) on Wednesday January 06, 2021 @04:44AM (#60902276)

    It is LITERALLY DESIGNED to let people know where you are.

    • It is designed to let nearby people know that you are in the area, not to let pretty much anyone know exactly where you are. That's a rather important distinction.

      • Not really. Anyone with a little bit of intelligence could find you without using the triangulation method, just would be a little more difficult.

        Locks on doors are a measure to keep people out, but everyone is aware that they are very fallible to a person who wants to beat them. The same applies to locations. If you give someone a general idea of where you are, you have to reasonably expect they will be able to find you, if they try hard enough.

      • How would you know somebody is still inside the definition of "nearby" or not without their precise location?

        If you think about it, it's just not actually possible to know the former without the latter, as all edge cases would become "not sure", and if you exclude them most people nearby would not be found, and if you include them, you'd also include more people not actually nearby than people nearby, due to simple geometry.
        In any case, you would still know that people nearby are nearby. ("[Old redneck town

        • The service implementing this needs to know where you are, but it doesn't need to let anyone else know. They can just tell anyone who asks: "Person X is/isn't nearby". If you include a significant random element in that definition of "nearby" (for instance: distance
  • When i hear these articles i wonder who pays these people to experiment ? For every successful find, there must be dozens of 100s of hours that end up nowhere. Again who pays for those researchers and how do they make money ?

  • Telegram is not a privacy-enabled messenger (Score:5, Interesting)

    by BAReFO0t ( 6240524 ) on Wednesday January 06, 2021 @06:41AM (#60902444)

    I repeat: Telegram is not a privacy-enabled messenger
    It just gets confused for one.

    The fact that you have to enable a special mode, to send end-to-end encrypted messages, says it all. It should not be possible to send unencrypted messages, unless you very specifically say so.

    The fact that it's closed source, by itself, already maked that abundantly clear too. Might aswell use WhatsApp, and have FacebookNSA spy on you rather than TelegramFSB.

    Just use Signal. The bots are not worth is.

  • Doesn't every Android phone allow to select ones location in the developer options plus a location selection app?
  • i can't believe this is considered as a security issue. it only takes a sane person to be able to understand that enabling the feature will expose their location.
  • Comment removed based on user account deletion

  • Quoting from the summary:

    Hassan said that scammers often spoof their location to crash such groups and then peddle fake bitcoin investments, hacking tools, stolen social security numbers, and other scams.

    Telegram lets users create local groups within a geographical area. Hassan said that scammers often spoof their location to crash such groups and then peddle fake bitcoin investments, hacking tools, stolen social security numbers, and other scams.

    Do the "editors" even read the summaries anymore?

Slashdot Top Deals

Say "twenty-three-skiddoo" to logout.

Close