An expert who observed that messaging platform Telegram's
"People Nearby" feature revealed risk of accurate user location, is
now informed that the feature is "working as expected." Users who
use the "People Nearby" feature can view a list of other telegraph
users within a short mile radius. Users can also find local group
chats.
Ahmad Hassan used a software that allowed him to fake the location
of his Android phone, using it, he found locations of individuals
from three different points. He used trilateration to pinpoint
exact user location. Using this method, Ahmed could get accurate
location of the users, including their home addresses, which is
quite easy. Hasan had found the issue hoping to get Bug
Bounty as a reward, instead, he was told that the Telegram users
share their locations intentionally i the "People Nearby" section.
To determine the exact location of the users, one can expect
sometimes to find it under certain conditions.
But Hasan says that when a user allows "People Nearby"
location, he is indirectly posting his residential address online.
Many of the users are unaware of this information while they are
using the feature. He also believes a widespread problem exists
where hackers or users with malicious intent can use fake locations
to join local group chats, and attack users with spams or phishing
attacks using malicious links. It includes fraud links and fake
Bitcoin investments, which is a proof to the poor app
security. Telegram claims that their platform is "more secure
than mass market messengers like WhatsApp and Line."
However, Telegram fails to mention the risks that can arise from
malicious users. Others apps in recent times have also experienced
the location issue. The Register reports, "obtaining the
location of nearby users is not an issue exclusive to digital
devices. A stranger may follow someone home, for example. It is
also not so long ago that a huge printed directory of local names,
addresses, and telephone numbers used to be delivered to almost
every home in many countries – and in the UK BT's online Phone Book
service still offers a person search, including address details for
those who have not opted out."
