Monday, January 4, 2021

Telegram publishes users' locations online.

A few years ago, while using the Line app, I noticed a feature called "People nearby." The feature lets you connect with other Line users within the same area. The feature would give you the exact distance from you to the other users. If someone spoofs their latitude, longitude, they can triangulate a user and find their location. I reported an issue in the Line app, and They paid me $1000 for it. They fixed it by adding a random number to the user's destination. You can find my name here

A few days ago, I installed Telegram, and I noticed that they have the same feature. I tried to see if I can unmask other users' locations, and I found they have the same issue I discovered in the Line app a few years ago. I reported the problem to Telegram security, and they said it's not an issue. If you enable the feature of making yourself visible on the map, you're publishing your home address online. Lot of users don't know this when they enable that feature. This is what they said when I emailed them: 

From: security@telegram.org

To: me


Hello,


Thanks for reaching us out. Users in the People Nearby section

intentionally share their location, and this feature is disabled by

default. It's expected that determining the exact location is possible

under certain conditions.


Unfortunately, this case is not covered by our bug bounty program.


Disclosure timeline: 

  • Contacted Telegram on December 22nd with full details of how to exploit the information.
  • They responded on December 23rd; they asked me to create a video of the PoC 🙄
  • I made a video on the same day and sent it to them.

  • They responded after 14 days, saying their bug bounty program does not cover the issue.


So, here is how it works in detail:
Open Telegram, and go to people near me, there is an option to see how far people are from your location.


After you click on it, it will show a list of people near you like the following:

If you notice, Telegram is telling me how far each person is far from me. An adversary can spoof their location for three points and use them to draw three triangulation circles. To spoof a GPS location, the adversary can do one of the following options:

1-Use hardware GPS spoofer (Very hard to get, and the FCC will fine you hard if you use such a device)
2-Use root to spoof to GPS (Medium)
3-Just walk around the area, collect the GPS latitude and longitude of yourself, and how far the target person is from you (Super easy)

For the sake of the demonstration, I will go with option number two. There is an app in the play store called GPS spoof; download it and install it. For some reason, the app doesn't work with Android 11; I used Android 7 instead. After it, collect 3 locations of a user for unmasking.


4-Spoof the location near the user within a 7 miles radius limit. That's the limit Telegram has in place. The targeted user lives in Bay Ridge, so I spoofed the address to the Bay Ridge area. Then collect how far that person is from that point. Repeat three times like the following:

 

 


5-Open Google Earth Pro, search for latitude, the longitude of the spoofed locations, and use the ruler to draw a circle with the target user destination from each location. Here is the result:


The intersection of the three circles is the location of the user. To verify this, I added one of the users and asked them if they live near the point.


I was able to get that user's exact home address.

 

Telegram told me it's not an issue. If you use this feature, please make sure to disable it. Unless you want your location to be accessible by everyone. 

Unfortunately, Telegram poor application security can be reflected with the number of scammers they have within that feature. Telegram allows users to create local groups within a geographical area. Many scammers spoof their location and try to sell fake bitcoin investments, hacking tools, SSNs that are used for unemployment fraud, and so on. The amount of illegal activities I saw there make the Silkroad look like amateurs ran it. 

15 comments:

  1. It is not an issue, don't disclose your location if you don't want to be found.

    ReplyDelete
  2. Wtf are you talking about Sergio? Of course it's an issue. God knows I disable all the location services on my apps but presumably this feature is supposed to allow people relatively close to each other to be able to chat, not to allow people to discover the user's exact location.

    ReplyDelete
  3. I am fascinated tbh! It is so easy to perform an orchestrated attack on neighbors (more generally, all people within reach).
    Thanks for the insight!

    ReplyDelete
  4. Hello,

    it is possible to connect microcontroller/PC
    acting as GPS receiver
    thru bluetooth/wire to your device.

    so essentially you do not need to generate GPS "frequencies", just NMEA data, so no FCC nor Faraday cage needed

    for example nice NMEA utilities at https://panaaj.bitbucket.io/
    or you can just google "nmea spoofing"


    https://backyardbrains.com/experiments/faraday

    ReplyDelete
  5. In the first paragraph when you write destination I think you mean distance, correct?

    ReplyDelete
  6. I don't really see this as any sort of bug or issue, and it is disabled by default. You have to opt into this feature actively and intentionally. It would be appropriate for them to provide a better warning disclaimer. However, if you just install Telegram and use it without knowledge of the feature, you are not put at any risk, and your article presents itself as if this is an always-on feature, which is not the case.

    Currently, upon enabling this feature it does provide the disclaimer "Users nearby will be able to view your profile and send you messages. This may help you find new friends, but could also attract excessive attention. You can stop sharing your profile at any time. Your phone number will remain hidden."

    This is an intended feature of the program. The only "fix" for this is removal of the feature. There is no bug or issue with Telegram itself. If you could pull the user's exact geocords, then and only then would this be a bug or exploit of the software itself that would require Telegram's software to be fixed. It is up to the individual to be vigilant and aware/protective of their own security, and Telegram by default settings poses no risk to users.

    ReplyDelete
    Replies
    1. Hi Fidget,

      They can round to the nearest mile or km and add a static random noise. Tinder had the same issue and they fixed it by creating buckets. Users who enable this feature are not aware they are basically publishing thier precise location.

      Delete
    2. But even then, with enough samples you can narrow down the location just the same. Adding noise just makes it take more time and effort to triangulate a position. If someone is going to go through the effort to track down a person, the slightly inaccurate value is really not going to stop someone. And in the process of collecting multiple samples or using two devices with a known location/distance, you can narrow down what method it uses (rounding or adding/subtracting a randomized value). So even by changing it, you haven't solved that it does exactly what it's intended to do, provide your distance/location. The correct solution would be for an application to let you define your own location, a sort of "in vicinity of" opposed to actual device location (unless the user desires that, which again is the whole point of the feature).

      Here's the example for rounding. You triangulate it with three random points, like in your demonstration. You get an approximate location. Now you find the threshhold at which the value changes from say 10km to 5km for each of those points, and you now have the exact value. Nothing was fixed.

      Here's an example of adding in static: Get the triangulation closer and closer. Eventually the static becomes trivial and you can narrow down to a more precise location. You would need to do this process anyways to verify the exact location from your example anyways. Adding noise will make it closer to impossible to maybe narrow down an exact accuracy for finding someone in an apartment complex when you factor the margin of error from the reporting device anyways, but you should still get within the range of a neighbours house of inaccuracy.

      My point is the only means of avoiding stalkers with this is to not use it. I did state that the warning should be better, and it should mention that it may allow others to find your location, but I simply don't agree that your mentioned methods will prevent a malicious tracker from finding their target with a high amount of accuracy.

      Delete
  7. One site I'm member on asks for users' location but also offers 4 levels of privacy based on Geohash https://en.wikipedia.org/wiki/Geohash#Design

    - 3 letter Geohash (margin of 160 km)
    - 4 letter Geohash (margin of 40 km)
    - 5 letter Geohash (margin of 5 km)
    - Exact coordinates

    For telegram's use-case they might want to use something more precise than that since even 5km is not exactly "nearby".

    Or their disclaimer simply needs to be a lot more clear that it's possible for people to figure out their exact location.

    ReplyDelete
  8. It was once neighborhood -full of people we know. Now we simply have no time to meet but it doesn't mean that we have to see in everyone someone who is lurking behind our anonym happiness.

    ReplyDelete
  9. I have to add a thank for the job you have done 👍

    ReplyDelete
  10. Lol, just found this website. I already have an automated script running in many major cities using Telegrams API to collect movement data of tens of thousands of users for months. Please don't fix it Telegram!

    ReplyDelete
  11. You can download Telegram X, that one does not have the function of people nearby

    ReplyDelete
  12. Uzbekistan is the best, but USA is better indeed, isn't it?

    ReplyDelete