A feature that allows Telegram users to see who is nearby can be misused to pinpoint your exact distance to other users – by spoofing one’s latitude & longitude.
The “People Nearby” feature in the secure messaging app can be abused to reveal a user’s precise location, a researcher observed.
According to bug-hunter Ahmed Hassan, the “People Nearby” feature could allow an attacker to triangulate the location of unsuspecting Telegram users. The feature is disabled by default, but as Hassan points out, “Users who enable this feature are not aware they are basically publishing their precise location.”
3 Different Points
The feature lists exactly how far people are from one’s location (1.3 miles & so on). This is not an issue as long as that number remains a radius. It is possible to spoof one’s location for 3 different points, & then use the resulting 3 distances to precisely pinpoint where a target is, the researcher found.
To spoof a GPS location, an adversary has various options, but the easiest method, Hassan noted in a Mon. blog, is to “just walk around the area, collect the GPS latitude & longitude of yourself, & how far the target person is from you (super easy).”
“There is an app in the Google Play store called GPS spoof; download it & install it,” he noted. “After that…spoof the location near the user within a 7-mile radius limit. That is the limit Telegram has in place…then collect how far that person is from that point. Repeat 3 times.”
Knowing the 3 locations, an attacker can then open Google Earth Pro, plug in the spoofed locations, & use a ruler to find the middle point between the 3.
“The intersection of the three circles is the location of the user,” Hassan explained. “To verify this, I added one of the users & asked them if they live near the point. I was able to get that user’s exact home address.”
For Telegram’s part, the company explained it doesn’t regard the issue as a bug & declined Hassan’s security report.
“Users in the People Nearby section intentionally share their location, & this feature is disabled by default,” was Telegram’s response, according to the researcher.
“It’s expected that determining the exact location is possible under certain conditions. Unfortunately, this case is not covered by our bug-bounty program.”
To fix it, the company could round user locations to the nearest mile “& add a static random noise,” Hassan observed. “Tinder had the same issue & they fixed it by creating buckets.”