Saturday, 29 September 2018

Telegram anonymity fails in desktop - CVE-2018-17780

Hi Internet,

Summary: Strangely tdesktop 1.3.14 and Telegram for windows (3.3.0.0 WP8.1) leaks end user private and public IP address while making calls. This bug was awarded €2000 by Telegram security team. (Sweeet..)
Img Src: https://telegram.org/img/tl_card_synchronize.gif
Telegram is supposedly a secure messaging application, but it forces clients to only use P2P connection while initiating a call, however this setting can also be changed from "Settings > Privacy and security > Calls > peer-to-peer" to other available options. The tdesktop and telegram for windows breaks this trust by leaking public/private IP address of end user and there was no such option available yet for setting "P2P > nobody" in tdesktop and telegram for windows.

PS: Even telegram for android will also leak your IP address if you have not set "Settings > Privacy and security > Calls > peer-to-peer > nobody" (But Peer-to-Peer settings for call option already exists in telegram for android).

To view this in action in tdesktop:
1. Open tdesktop,
2. Initiate a call to anyone,
3. You will notice the end user IP address is leaking.
 

Other scenario:
1. Open tdesktop in Ubuntu and login with user A
2. Open telegram in windows phone login with user B
3. Let user B initiate the call to user A
4. While user A access log will have public/private IP address of user B.
Not only the MTProto Mobile Protocol fails here in covering the IP address, rather such information can also be used for OSINT. This issue was fixed in 1.3.17 beta and v1.4.0 which have an option of setting your "P2P to Nobody/My contacts", Later CVE-2018-17780 was assign to this vulnerability.


Regards
Share:

0 coment�rios:

Post a Comment