Telegram Desktop app by Default Leaks IP Addresses When Making Call

Telegram for Desktop
Telegram Messenger, an application which has a strong security and privacy, but it was discovered that the desktop version of the platform do enables P2P call by default while making call. It has allowed users to create encrypted chats and phone calls with other users through the Internet with reliable form of privacy it provided. Telegram Messenger is being a secured and private communication app, but a researcher has discovered its default configuration that would allow user's IP address to be leaked out when making call.

The Telegram app does show that users can prevent their IP address from being exposed by going to the settings of the Android and iPhone Telegram app. Of no reason should Telegram make the P2P call enabled a default, as users won't know their IP address is already leaked out to the other party. To disable the P2P call, go to Settings -> Private and Security -> Voice Calls -> Peer-To-Peer -> Never or Nobody on your Android or iPhone.

disable the P2P call on androiddisable the P2P call on iOS,iPhone


The matter now is the desktop version do not have P2P call feature to disable it, which means the user's IP address would be leaked out whenever they use Telegram to make a call. And the associated IP address leak in iOS and Android. Security researcher Dhiraj discovered the official Telegram for Desktop (tdesktop) and Telegram Messenger for Windows applications which do not offer the ability to disable P2P calls. Said, BleepingComputer.

Dhiraj was awarded a €2,000 bounty and his study was allotted the CVE-2018-17780 ID. Reason was because Dhiraj brought the bug to Telegram notice about the P2P call feature missing in Telegram for Desktop version.

Hence, the bug has been fixed in the 1.3.17 beta and 1.4.0 versions of Telegram for Desktop, which now has the setting to disable P2P calls.