Telegram’s People Nearby feature reveals users’ exact locations
Independent researcher and bug-hunter Ahmed Hassan has discovered that Telegram’s 'People Nearby' feature could enable a bad actor to triangulate the location of unsuspecting Telegram users.
Although ‘People Nearby' is disabled by default, Hassan commented that any user who enables this feature might not be aware that he or she is basically publishing their exact location.
A few years ago, while using Line app, Hassan noticed a feature which lets users of the app within the same area connect with each other.
He says the feature would give the exact distance from one to the other users. “If someone spoofs their latitude, longitude, they can triangulate a user and find their location.”
Hassan reported an issue in the Line app, and was paid $1 000 for it. The issue was fixed by adding a random number to the user's destination.
“A few days ago, I installed Telegram, and I noticed that they have the same feature. I tried to see if I can unmask other users' locations, and I found they have the same issue I discovered in the Line app a few years ago,” he says.
Hassan reported the problem to Telegram security, who claimed it is not an issue, and wasn’t covered by the bug bounty programme.
However, he says users who enable the feature of making themselves visible on the map are effectively publishing their home address online. “Lots of users don't know this when they enable that feature.”
How it works
Should a user open Telegram, and go to ‘people nearby’, there is an option to see how far people are from your location. Once the user clicks on it, it will show a list of people near them.
Moroever, Telegram tells the user how far each person is from them. “An adversary can spoof their location for three points and use them to draw three triangulation circles.”
To spoof a GPS location, the adversary can do one of several options. Firstly, they could use a hardware GPS spoofer, which is hard to get, and can result in FCC fines if caught. Next, root to spoof GPS can be used by downloading an app such as GPS spoof from the Play Store, and finally, a user can simply walk around the area, collect the GPS latitude and longitude of themselves, and how far the target individual is from them.
He illustrated method number two. Once the GPS spoof app was downloaded, he was able to spoof the location near the user within a seven-mile radius limit, as that is the limit Telegram has in place, and then collect how far that person is from that point. He repeated this three times.
Armed with the three locations, a bad actor could then open Google Earth Pro, plug in the spoofed locations, and use a ruler to find the middle point between all three locations.
“The intersection of the three circles is the location of the user,” Hassan said. “To verify this, I added one of the users and asked them if they live near the point. I was able to get that user’s exact home address.”
Disable the feature
Hassan advises that although Telegram told him it's not an issue, anyone using Telegram should be sure to disable this feature. “Unless you want your location to be accessible by everyone.”
He says Telegram's poor application security can be reflected in the number of scammers they have exploiting that feature. “Telegram allows users to create local groups within a geographical area. Many scammers spoof their location and try to sell fake bitcoin investments, hacking tools, SSNs that are used for unemployment fraud, and so on. The amount of illegal activities I saw there makes the Silk Road look like amateurs.”