The researcher discovered a vulnerability in Telegram. The fact is that the messenger provides users with the “People Nearby” function, thanks to which it is possible to determine the location of a social network client with an accuracy of several tens of meters.
Enthusiast Ahmed Hasan posted a message about the vulnerability found on his blog.
Several years ago, he already reported a similar flaw to the Line messenger development team. The creators of the messenger paid Hassan a bonus of $ 1,000 and fixed the problem.
Although Telegram only shows the distance to a particular user in the list, you can determine its exact location using triangulation.
To do this, you need to change your location twice, marking each time the distance to the user, and then draw on the map (for example, on Google maps) three circles with a centre in their coordinates and a radius equal to the found distance. The user will be at the intersection of the circles.
Let me remind you, by the way, that Researcher Earned $10,000 by Finding XSS Vulnerability in Google Maps.
At the same time, can be found only those users, who use the “People nearby” function.
It should be noted that alternative solutions in other applications for calculating the distance between users include the addition of a random number to the coordinates, which makes impossible determining the real geolocation, but in the case of Telegram, the developers decided to neglect this additional security measure.
