Telegram has a long-standing problem that allows, under certain circumstances, to determine the exact location of the user. Telegram developers know about it, but consider it not a bug or vulnerability, but a feature.
On GitHub a detailed description of the problem is given, utilities for its operation are laid out, and a video is posted that clearly shows how, with the help of fairly simple manipulations, you can see the position of specific people on the map.
The vulnerability has been around for about a year, as have the tools to exploit it. The necessary conditions:
- The attacker knows in which city the victim lives and needs to be tracked down
- The victim has People Nearby turned on, allowing them to see who is using Telegram nearby
- Victim allowed himself to be added to the People Nearby list
If these conditions are met, the attacker can use the substitution of GPS coordinates to move to the city where the tracked person lives, and using a special script, change their coordinates several times in order to determine the approximate position of the victim by triangulation.
The problem is exacerbated by the fact that Telegram shows a person with an accuracy of up to a meter, so triangulation allows you to very accurately determine where he is. The coordinates in the GPS system are determined quite accurately, although an error of 50 meters is allowed. If Telegram rounded the distance to users to a kilometer, it would be impossible to accurately calculate the location of the victim.
Functions similar to People Nearby in Telegram were in Tinder and Line, but these services abandoned them when information security researchers showed how they can be used to calculate where a particular person is. People Nearby is used in Telegram as an unofficial dating service, and the messenger is not going to get rid of this feature or make changes to its work.
The author claims that this vulnerability is actively exploited, but not for spying on people, but by scammers. They run bots with pretty girls as avatars and then swindle those who try to get to know them. Victims see that the girl is nearby, offer to meet, and the bot swindles money from them.
Telegram press service comments:
The People Nearby feature is disabled by default in Messenger. In addition, changes have recently been made to its work, making it impossible to calculate the exact location of the user by triangulation.