18 comments

[ 4.1 ms ] story [ 49.0 ms ] thread
This project demonstrates how to obtain the remote party's IP information during Telegram calls, and even answering calls carries some risk .

In fact, this type of issue exists in all peer-to-peer connections based on WebRTC. It exposes the true IP address during the signaling process, ICE candidate gathering, connection establishment, and communication phases.

In reality, if you want to obtain someone's IP, it's not that difficult once they answer the call. You can simply send a disguised link for them to click on, and any arbitrary request on the web page can collect various endpoint information .

This project also demonstrates how to use Wireshark to monitor network card information and intercept data packets. The code portion is quite instructive and worth learning from.

Why is knowing what peer you're connecting to on a P2P network an issue?
It isn’t as long as the peer is aware it happens, because otherwise Telegram isn’t P2P it’s centralized for messaging.
Because if you have the peer ip (which WebRTC is sending the audio packets), you can do an IP to geo-reference and maybe get an idea if where the peer is, kinda, sorta.
Meh, with NAT and CGNAT you're only going to get a rough idea. Lot of people using VPNs now too.
Place call to terrorist Telegram...GBU-31 comes down his stovepipe.
There's the classic: face an opponent in a ranked match in an online game, find the opponent's voice chat account through some search, get the opponent's IP, DDoS the opponent offline using a booter service, win the match.

Or the other classic: DDoS the Twitch streamer.

My family's home internet was DDoSed offline for a short bit by someone using a Skype resolver and (I assume) a booter service trying to extort a Roblox item from me.

Telegram actually handles this well (better than some other similar chat apps like LINE, Viber, ...)

It has an option inside Security and Privacy, in the subsection on "Calls", where you can limit who can contact you using P2P calls and who will have the call routed through a central server of Telegram.

So usually you can restrict P2P only to your contacts for example, and everyone else will have calls routed to Telegram central server (or just disable calling altogether for everyone else)

This has been known for quite some time now?
This has been known for a long time. They offer mitigating controls. Doing a geoip lookup is misleading to the average person - it's not that fine grained!
Fine grained enough to narrow down the user to what country they are in as well as what general area in that country.

Then there’s the fact they’ll have the ISP they are connecting with as well.

That’s more than enough for anyone with the power to determine if you fall within their jurisdiction and what ISP to subpoena for fine grained account specifics, like name and address, while notifying whatever assets they have in the general vicinity before hand using the general location that came from the ARIN data.

An app like telegram that exists for user privacy should not leak your ip address, ever, nor should it require your mobile number to auth or use contacts & numbers to find your people. I feel like the world has gone insane and nobody noticed haha

Meanwhile, WhatsApp - pretty much the most popular messaging app outside of the US - reveals your phone number to anyone in the same chat as you.

Even in ones you were added to without your permission, people can just grab all their contacts and create a chat from that.

If you want to show something like this off it would be more appropriate as a Show HN since there isn't anything novel here.