A researcher who noted that using the “People Nearby” feature of popular messaging app Telegram exposed the exact location of the user has been told that it’s working as expected.
Folk who activate this feature see a list of other users within a few miles to “quickly add people nearby… and discover local group chats.”
Using a utility that fakes the location of an Android device, Ahmed Hassan was able to discover the distance of individuals from three different points, and then use trilateration to pinpoint exactly where they were. He was able to retrieve exact home addresses using this method, which is not technically difficult.
Using trilateration to pinpoint an exact location from three separate distances. Pic courtesy: Ahmed’s Notes
Hassan reported the issue in the hope of a bug bounty only to be told: “Users in the People Nearby section intentionally share their location, and this feature is disabled by default. It’s expected that determining the exact location is possible under certain conditions.”
“If you enable the feature of making yourself visible on the map, you’re publishing your home address online. Lot of users don’t know this when they enable that feature,” Hassan said.
He also believes that there is a widespread problem with malicious users faking their location, joining local groups, and spamming users with fake Bitcoin investments or other frauds – evidence, he claims, of poor application security.
In its FAQ Telegram claims to be “more secure than mass market messengers like WhatsApp and Line” based on its security protocols, but does not address the risks from malicious users.
Similar location issues have come up before with other apps. Hassan discovered the same vulnerability in the Line messaging app, which he said “they fixed by adding a random number to the user’s destination”.
Last year, Strava user Andrew Seward observed: “Out running this morning on a new route and a lady runs past me. Despite only passing, when I get home Strava automatically tags her in my run. If I click on her face it shows her full name, picture and a map of her running route (which effectively shows where she lives).”
Obtaining the location of nearby users is not an issue exclusive to digital devices. A stranger may follow someone home, for example. It is also not so long ago that a huge printed directory of local names, addresses, and telephone numbers used to be delivered to almost every home in many countries – and in the UK BT’s online Phone Book service still offers a person search, including address details for those who have not opted out.
That said, Telegram could do better. We installed Telegram on an Android device and found that enabling People Nearby and choosing to “Show your profile” raises a warning that “users nearby will be able to view your profile and send you messages. This may help you find new friends but could also attract excessive attention.”
It does not state that strangers with a small amount of knowhow can easily discover where you live. Nor does the aforementioned FAQ mention it, nor even the Advanced FAQ “for the technically minded”. Most of the focus is on encryption.
As discussed on Hacker News, Apple made some remarks on the subject at its developer event last year, stating that location information should be tailored to the requirement and that there are cases where sharing “just a little bit of location information makes sense for the app’s expected functionality.”
Apple also told developers at the event that “starting in iOS 14 a new option will appear in the prompts for users – Precise. This option lets the user grant an app only their approximate rather than their exact location.”
The company added that “asking for full accuracy only when it’s actually needed makes users more likely to give you what you need.”
In the case of Telegram’s requirement, it might be sufficient simply to report which users are within a seven-mile radius, for example, rather than exposing their exact distance away.
Whether or not Telegram’s current behaviour is a bug is open to debate, but improved transparency and the ability to give more approximate or slightly randomised distances would be welcome.
We have asked Telegram for comment. ®