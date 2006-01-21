from the We-know-where-you-are dept.
Bug? No, Telegram exposing its users' precise location is a feature working as 'expected':
A researcher who noted that using the "People Nearby" feature of popular messaging app Telegram exposed the exact location of the user has been told that it's working as expected.
[...] Using a utility that fakes the location of an Android device, Ahmed Hassan was able to discover the distance of individuals from three different points, and then use trilateration to pinpoint exactly where they were. He was able to retrieve exact home addresses using this method, which is not technically difficult.
Hassan reported the issue in the hope of a bug bounty only to be told: "Users in the People Nearby section intentionally share their location, and this feature is disabled by default. It's expected that determining the exact location is possible under certain conditions."
"If you enable the feature of making yourself visible on the map, you're publishing your home address online. Lot of users don't know this when they enable that feature," Hassan said.
He also believes that there is a widespread problem with malicious users faking their location, joining local groups, and spamming users with fake Bitcoin investments or other frauds – evidence, he claims, of poor application security.
In its FAQ Telegram claims to be "more secure than mass market messengers like WhatsApp and Line" based on its security protocols, but does not address the risks from malicious users.
For Telegram's part, the company said it doesn't regard the issue as a bug, and declined Hassan's security report.
[...] "Unfortunately, this case is not covered by our bug-bounty program."
To fix it, the company could round user locations to the nearest mile "and add a static random noise," Hassan said. "Tinder had the same issue and they fixed it by creating buckets."
Ok, so, this service can be made more safe by reducing the precision of the location. But it was turned it on so other people can tell if that user is nearby. Is a mile nearby?
What are people using this for where they want you to be able to know they are sort of near by but not exactly where they are? Do they want to be found or not?