A bug finder says that it is simple to hack Telegram’s People Nearby functionality to find the exact position and see their profiles. Nevertheless, Telegram does not seem to find any issues with the feature.
A blogger showed how hackers could use the feature to track neighboring users, display their profiles, and understand their positions.
Hackers can abuse the Nearby People function of Telegram
Telegram’s People Nearby function helps other nearby users to send private messages. Also, the app will show users around them profile info of those that activated Making Myself Available.
This feature was introduced by Telegram in June 2019, while developers released version 2.0 in February 2020. Suppose users have allowed the Make Myself Visible feature. In that case, they can show their profile names and images in contacts that use the People Nearby option. This would encourage users to submit messages, even if they close the app or navigate away from it, to other users near them.
Bug hunter Ahmed posted a blog about how a basic triangulation can be used to find a user with the feature. The People Nearby role will show the consumer’s exact position and how far the individual is. Using a location tool could plot the three-point locations of someone by merely walking within seven miles. They will notice how far the individual is from these points. Afterwards, they use these three triangulation circles to locate their precise location.
Ahmed stated that the People Nearby feature is likely to be misused and abused by providing such specific calculations. In response to a comment, Ahmed said that conducting a coordinated assault on neighbors is fast.
Telegram finds no problem with the People Nearby feature
Ahmed reported on Dec. 22 that he had reached out to Telegram with full descriptions about how the hack should be carried out. The organization requested him to make a video of it, which he did. After 14 days, Telegram noticed that the People Nearby segment is disabled by design. Although the function may be activated by users who opt to share their place.
In his message, Telegram said that it is anticipated that it is possible under some circumstances to decide the exact position in the email posted by Ahmed in his message. The firm added that its bug bounty scheme does not protect the hack.
Well, by simply switching off the Making Myself Transparent option, which is switched off by design, it can be easily resolved.
Telegram, which promotes its privacy features, particularly the end-to-end encrypted video communication for iOS and Android applications, with almost 500 million users, while group calling is not yet possible at the moment. In their contacts, users can make video calls to others, although they can still hold conversations at the same time.
Meanwhile, later in 2021, Telegram will be launching additional capabilities that Premium subscribers can compensate for while the app seeks to meet billions of users worldwide. The functions that are presently accessible, however, will stay free.