A bug finder claims Telegram's feature People Nearby can be easily exploited to find the exact location and see their profiles. However, Telegram does not seem to find any issue with the feature.
A blog post, Ahmed's Notes, illustrated how the feature can be exploited to track nearby users, see their profiles, and know their locations.
Telegram's People Nearby Feature can be exploited
The People Nearby feature of Telegram enables sending private messages to other nearby users. Also, profile details of those who activated Make Myself Visible will be displayed to users around them.
Telegram added this feature in June 2019 while the version 2.0 was rolled out in February 2020. If users enabled the Make Myself Visible option, their profile names and display photos will show up in contacts of those using the People Nearby option. This will allow users to send messages to other users near them, even if they close the app or navigate away from it.
Bug hunter Ahmed wrote a blog post on how to locate a user with the feature using a simple triangulation. According to Ahmed's Notes post, People Nearby feature can reveal the user's exact location and how far the person is. A user can plot others' three-point coordinates by simply walking within seven miles using a location app such as Fake GPS. They can note how far the person from these locations to and find his or her exact location using these three triangulation circles.
Ahmed noted that having such precise measurement makes the People Nearby feature prone to misuse and exploit. "It is so easy to perform an orchestrated attack on neighbors (more generally, all people within reach)," Ahmed said in reply to a comment.
Telegram finds no issue with the People Nearby feature
On Dec. 22, Ahmed claimed to have reached out to Telegram with complete details about how the exploit can be performed and the company asked him to create a video of it, which he did. After 14 days, Telegram noted that the People Nearby section is disabled by default while users who op to share their location could enable the feature.
"It's expected that determining the exact location is possible under certain conditions," Telegram said in the email shared by Ahmed in his post. The company added its bug bounty program does not cover the exploit.
Good thing, it can be easily fixed by simply switching off the Make Myself Visible option, which is turned off by default.
With almost 500 million users using Telegram, which touts its privacy features, particularly the end-to-end encrypted video calling for iOS and Android apps, although group calling is currently not yet available. Users can make video calls to anyone in their contacts while they can also have chats at the same time.
Meanwhile, Telegram will be introducing new features later in 2021 that Premium users can pay for as the platform aims to reach billions of users across the globe. However, all features that are currently free will remain free.
Related article: Telegram Introduces Voice Group Chat Feature, Similar to Discord
This is owned by Tech Times
Written by CJ Robles