A few years ago, while using the Line app, I noticed a feature called "People nearby." The feature lets you connect with other Line users within the same area. The feature would give you the exact distance from you to the other users. If someone spoofs their latitude, longitude, they can triangulate a user and find their location. I reported an issue in the Line app, and They paid me $1000 for it. They fixed it by adding a random number to the user's destination. You can find my name here.
A few days ago, I installed Telegram, and I noticed that they have the same feature. I tried to see if I can unmask other users' locations, and I found they have the same issue I discovered in the Line app a few years ago. I reported the problem to Telegram security, and they said it's not an issue. If you enable the feature of making yourself visible on the map, you're publishing your home address online. Lot of users don't know this when they enable that feature. This is what they said when I emailed them:
Thanks for reaching us out. Users in the People Nearby section
intentionally share their location, and this feature is disabled by
default. It's expected that determining the exact location is possible
under certain conditions.
Unfortunately, this case is not covered by our bug bounty program.
- Contacted Telegram on December 22nd with full details of how to exploit the information.
- They responded on December 23rd; they asked me to create a video of the PoC 🙄
- I made a video on the same day and sent it to them.
- They responded after 14 days, saying their bug bounty program does not cover the issue.
Open Telegram, and go to people near me, there is an option to see how far people are from your location.
2-Use root to spoof to GPS (Medium)
3-Just walk around the area, collect the GPS latitude and longitude of yourself, and how far the target person is from you (Super easy)
5-Open Google Earth Pro, search for latitude, the longitude of the spoofed locations, and use the ruler to draw a circle with the target user destination from each location. Here is the result:
I was able to get that user's exact home address.