Monday, January 4, 2021

Telegram publishes users' locations online.

A few years ago, while using the Line app, I noticed a feature called "People nearby." The feature lets you connect with other Line users within the same area. The feature would give you the exact distance from you to the other users. If someone spoofs their latitude, longitude, they can triangulate a user and find their location. I reported an issue in the Line app, and They paid me $1000 for it. They fixed it by adding a random number to the user's destination. You can find my name here

A few days ago, I installed Telegram, and I noticed that they have the same feature. I tried to see if I can unmask other users' locations, and I found they have the same issue I discovered in the Line app a few years ago. I reported the problem to Telegram security, and they said it's not an issue. If you enable the feature of making yourself visible on the map, you're publishing your home address online. Lot of users don't know this when they enable that feature. This is what they said when I emailed them: 

From: security@telegram.org

To: me


Hello,


Thanks for reaching us out. Users in the People Nearby section

intentionally share their location, and this feature is disabled by

default. It's expected that determining the exact location is possible

under certain conditions.


Unfortunately, this case is not covered by our bug bounty program.


Disclosure timeline: 

  • Contacted Telegram on December 22nd with full details of how to exploit the information.
  • They responded on December 23rd; they asked me to create a video of the PoC 🙄
  • I made a video on the same day and sent it to them.

  • They responded after 14 days, saying their bug bounty program does not cover the issue.


So, here is how it works in detail:
Open Telegram, and go to people near me, there is an option to see how far people are from your location.


After you click on it, it will show a list of people near you like the following:

If you notice, Telegram is telling me how far each person is far from me. An adversary can spoof their location for three points and use them to draw three triangulation circles. To spoof a GPS location, the adversary can do one of the following options:

1-Use hardware GPS spoofer (Very hard to get, and the FCC will fine you hard if you use such a device)
2-Use root to spoof to GPS (Medium)
3-Just walk around the area, collect the GPS latitude and longitude of yourself, and how far the target person is from you (Super easy)

For the sake of the demonstration, I will go with option number two. There is an app in the play store called GPS spoof; download it and install it. For some reason, the app doesn't work with Android 11; I used Android 7 instead. After it, collect 3 locations of a user for unmasking.


4-Spoof the location near the user within a 7 miles radius limit. That's the limit Telegram has in place. The targeted user lives in Bay Ridge, so I spoofed the address to the Bay Ridge area. Then collect how far that person is from that point. Repeat three times like the following:

 

 


5-Open Google Earth Pro, search for latitude, the longitude of the spoofed locations, and use the ruler to draw a circle with the target user destination from each location. Here is the result:


The intersection of the three circles is the location of the user. To verify this, I added one of the users and asked them if they live near the point.


I was able to get that user's exact home address.

 

Telegram told me it's not an issue. If you use this feature, please make sure to disable it. Unless you want your location to be accessible by everyone. 

Unfortunately, Telegram poor application security can be reflected with the number of scammers they have within that feature. Telegram allows users to create local groups within a geographical area. Many scammers spoof their location and try to sell fake bitcoin investments, hacking tools, SSNs that are used for unemployment fraud, and so on. The amount of illegal activities I saw there make the Silkroad look like amateurs ran it. 

Saturday, December 19, 2020

Hello 2005 world.

This is a blog where I write my notes related to Python, Linux, AI, and Computer Security. I feel writing a blog post on Blogger is something so 2005. Regardless, I hope you enjoy it.