Telegram Vulnerability Allows User Location Tracking

The Telegram messenger app offers a “People Nearby” feature, which enables users to determine the location of others on the platform with an accuracy of several dozen meters. Enthusiast Ahmed Hasan reported a vulnerability related to this feature on his blog. A few years ago, he had already informed the developers of the Line messenger about a similar issue. The creators of Line rewarded Hasan with a $1,000 bounty and fixed the problem.

Although Telegram only displays the distance to another user in the list, it is possible to pinpoint their exact location using triangulation. To do this, you need to change your own location twice, each time noting the distance to the target user. Then, you plot three circles on a map, each centered on your coordinates with a radius equal to the measured distance. The user will be located at the intersection point of these circles. This method only works for users who have enabled the “People Nearby” feature.

It is worth noting that alternative solutions in other apps for calculating the distance between users typically add a random value to the coordinates, making it impossible to determine the real location. However, in Telegram’s case, the developers chose to forgo this additional security measure.