This project demonstrates how to obtain the remote party's IP information during Telegram calls, and even answering calls carries some risk .
In fact, this type of issue exists in all peer-to-peer connections based on WebRTC. It exposes the true IP address during the signaling process, ICE candidate gathering, connection establishment, and communication phases.
In reality, if you want to obtain someone's IP, it's not that difficult once they answer the call. You can simply send a disguised link for them to click on, and any arbitrary request on the web page can collect various endpoint information .
This project also demonstrates how to use Wireshark to monitor network card information and intercept data packets. The code portion is quite instructive and worth learning from.
Because if you have the peer ip (which WebRTC is sending the audio packets), you can do an IP to geo-reference and maybe get an idea if where the peer is, kinda, sorta.
There's the classic: face an opponent in a ranked match in an online game, find the opponent's voice chat account through some search, get the opponent's IP, DDoS the opponent offline using a booter service, win the match.
Or the other classic: DDoS the Twitch streamer.
My family's home internet was DDoSed offline for a short bit by someone using a Skype resolver and (I assume) a booter service trying to extort a Roblox item from me.
Telegram actually handles this well (better than some other similar chat apps like LINE, Viber, ...)
It has an option inside Security and Privacy, in the subsection on "Calls", where you can limit who can contact you using P2P calls and who will have the call routed through a central server of Telegram.
So usually you can restrict P2P only to your contacts for example, and everyone else will have calls routed to Telegram central server (or just disable calling altogether for everyone else)
This has been known for a long time. They offer mitigating controls. Doing a geoip lookup is misleading to the average person - it's not that fine grained!
Fine grained enough to narrow down the user to what country they are in as well as what general area in that country.
Then there’s the fact they’ll have the ISP they are connecting with as well.
That’s more than enough for anyone with the power to determine if you fall within their jurisdiction and what ISP to subpoena for fine grained account specifics, like name and address, while notifying whatever assets they have in the general vicinity before hand using the general location that came from the ARIN data.
An app like telegram that exists for user privacy should not leak your ip address, ever, nor should it require your mobile number to auth or use contacts & numbers to find your people. I feel like the world has gone insane and nobody noticed haha
18 comments
[ 4.1 ms ] story [ 49.0 ms ] threadIn fact, this type of issue exists in all peer-to-peer connections based on WebRTC. It exposes the true IP address during the signaling process, ICE candidate gathering, connection establishment, and communication phases.
In reality, if you want to obtain someone's IP, it's not that difficult once they answer the call. You can simply send a disguised link for them to click on, and any arbitrary request on the web page can collect various endpoint information .
This project also demonstrates how to use Wireshark to monitor network card information and intercept data packets. The code portion is quite instructive and worth learning from.
Or the other classic: DDoS the Twitch streamer.
My family's home internet was DDoSed offline for a short bit by someone using a Skype resolver and (I assume) a booter service trying to extort a Roblox item from me.
It has an option inside Security and Privacy, in the subsection on "Calls", where you can limit who can contact you using P2P calls and who will have the call routed through a central server of Telegram.
So usually you can restrict P2P only to your contacts for example, and everyone else will have calls routed to Telegram central server (or just disable calling altogether for everyone else)
The default is calls are P2P enabled
Then there’s the fact they’ll have the ISP they are connecting with as well.
That’s more than enough for anyone with the power to determine if you fall within their jurisdiction and what ISP to subpoena for fine grained account specifics, like name and address, while notifying whatever assets they have in the general vicinity before hand using the general location that came from the ARIN data.
An app like telegram that exists for user privacy should not leak your ip address, ever, nor should it require your mobile number to auth or use contacts & numbers to find your people. I feel like the world has gone insane and nobody noticed haha
Even in ones you were added to without your permission, people can just grab all their contacts and create a chat from that.