Thursday, May 1, 2025
HomeComputer SecurityTelegram Leaks Public & Private IP Address While Making Calls

Telegram Leaks Public & Private IP Address While Making Calls

Published on

SIEM as a Service

Follow Us on Google News

Telegram Desktop version leaking users private and public IP address by default while initiating phone calls from tdesktop and telegram for windows.

Telegram offering encrypted chats and phone calls over the internet but its desktop and windows version leaking IP address.

Telegram Desktop application allows users only making phone calls by setting the P2P connection which is available to change from “Settings > Privacy and security > Calls > peer-to-peer”

- Advertisement - Google News

But tdesktop and telegram for windows don’t have any option like this to set up the Peer-to-peer connection.

Dhiraj Mishra, Researcher who discovered this serious flaw in Telegram stated that “Even telegram for Android will also leak your IP address if you have not set “Settings > Privacy and security > Calls > peer-to-peer >nobody” (But Peer-to-Peer settings for call option already exists in a telegram for android”

Telegram Desktop – IP Leaking Scenario 

Below example that can demonstrate from Ubuntu Desktop Telegram console while users making phone calls from Telegram desktop.

1. Open tdesktop,
2. Initiate a call to anyone,
3. You will notice the end user IP address is leaking.

In this case, Telegram desktop clients forMac, Windows, and Linux also would reveal users’ IP addresses.

So making phone calls from the desktop version and windows would leaks both users IP addresses but the mobile version will not do the same since it was set as Peer-to-peer communication by default.

He Also Explains the other following scenario that indicates the part of leaking IP address of the following.

  •  Open tdesktop in Ubuntu and login with user A
  •  Open telegram in windows phone login with user B
  •  Let user B initiate the call to user A
  •  While user A access log will have the public/private IP address of user B.  

After reporting this flaw to Telegram, Dhiraj was awarded a €2,000 bounty for his finding and issued the patch in the 1.3.17 beta and 1.4.0 versions of Telegram for Desktop where you can set your “P2P to Nobody/My Contacts.

Later CVE-2018-17780 was assigned to this vulnerability and the user requested to update their desktop clients as soon as possible in order to patch this flaw to maintain the anonymity.

Related Read

Advanced Android Malware Steal Users Facebook, Twitter, Telegram, Skype Messenger Data

Hackers Now Switching to Telegram as a Secret Communication Medium for Underground Cybercrimes

New Android RAT Spotted in Wild Abusing Telegram Protocol for Command and Control

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...

Commvault Confirms Zero-Day Attack Breached Its Azure Cloud Environment

Commvault, a global leader in data protection and information management, has confirmed that a...

FBI Uncovers 42,000 Phishing Domains Tied to LabHost PhaaS Operation

The Federal Bureau of Investigation (FBI) has revealed the existence of 42,000 phishing domains...

Tor Browser 14.5.1 Released with Enhanced Security and New Features

The Tor Project has announced the official release of Tor Browser 14.5.1, introducing a...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Is this Website Safe: How to Check Website Safety – 2025

is this website safe? In this digital world, Check a website is safe is...

Firefox 133.0 Released with Multiple Security Updates – What’s New!

Mozilla has officially launched Firefox 133.0, offering enhanced features, significant performance improvements, and critical...

Digital Wallets Bypassed To Allow Purchase With Stolen Cards

Digital wallets enable users to securely store their financial information on smart devices and...