Nearby Share feature can be exploited by adversaries to spoof GPS and get access to users’ exact location.
A messaging app with a focus on speed and security, cross-platform, cloud-based instant messaging, video calling, and VoIP service.
However, a special feature People Nearby in the secure messaging app can be abused to unmask a user’s precise location, a researcher said.
According to bug-hunter Ahmed Hassan, the feature could allow an attacker to triangulate the location of unsuspecting Telegram users.
Though the feature is disabled by default “Users who enable this feature are not aware they are basically publishing their precise location.”
People Nearby feature — If Enabled?
Bug hunter Ahmed on Dec 22, 2020, reached Telegram with a complete write-up about the exploit.
Twitter in response after 14 days, the company asked to create a video of the exploit he did.
However in his blog, the adversary can do one of the following options:
- Use hardware GPS spoofer (Very hard to get, and the FCC will find you hard if you use such a device)
- Use root to spoof to GPS (Medium)
- Just walk around the area, collect the GPS latitude and longitude of yourself, and how far the target person is from you (Super easy)
And, using the second method – GPS spoof he was able to get user’s exact home address.
In addition, “The number of illegal activities I saw there make the Silkroad look like amateurs ran it,” he said.
However, “It’s expected that determining the exact location is possible under certain conditions.”
Unfortunately, this case is not covered in our bug-bounty program.”, Telegram replied.
In short, Telegram told it’s not an issue. If you use this feature, please make sure to disable it. Unless you want your location to be accessible by everyone.