A feature that allows Telegram users to see who’s nearby can be misused to pinpoint your exact distance to other users – by spoofing one’s latitude and longitude.
According to bug-hunter Ahmed Hassan, the “People Nearby” feature could allow an attacker to triangulate the location of unsuspecting Telegram users. The feature is disabled by default, but as Hassan pointed out, “Users who enable this feature are not aware they are basically publishing their precise location.”
The feature lists exactly how far people are from one’s location (1.3 miles and so on). This isn’t an issue as long as that number remains a radius. But it’s possible to spoof one’s location for three different points, and then use the resulting three distances to precisely pinpoint where a target is, the researcher found.
To spoof a GPS location, an adversary has various options, but the easiest method, Hassan noted in a Monday blog, is to “just walk around the area, collect the GPS latitude and longitude of yourself, and how far the target person is from you (super easy).”
Another option is to use a GPS-spoofing app.
“There is an app in the [Google Play] store called GPS spoof; download it and install it,” he noted. “After [that]…spoof the location near the user within a seven-mile radius limit. That’s the limit Telegram has in place…then collect how far that person is from that point. Repeat three times.”
Armed with the three locations, an attacker can then open Google Earth Pro, plug in the spoofed locations, and use a ruler to find the middle point between the three.
“The intersection of the three circles is the location of the user,” Hassan explained. “To verify this, I added one of the users and asked them if they live near the point. I was able to get that user’s exact home address.”
For Telegram’s part, the company said it doesn’t regard the issue as a bug, and declined Hassan’s security report.
“Users in the People Nearby section intentionally share their location, and this feature is disabled by default,” was Telegram’s response, according to the researcher. “It’s expected that determining the exact location is possible under certain conditions. Unfortunately, this case is not covered by our bug-bounty program.”
To fix it, the company could round user locations to the nearest mile “and add a static random noise,” Hassan said. “Tinder had the same issue and they fixed it by creating buckets.”
Telegram did not immediately return a request for comment.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!