Telegram's 'People Nearby' Shows Users' Exact Location Through Triangulation, Research Found

Telegram, People Nearby

Telegram is a privacy-oriented messaging app. It's a popular choice among many, especially those who just want to be away from Facebook's grip.

But here, the messaging app was found to have a privacy concern that should raise some questions. One user named Ahmed, warned that Telegram has the 'People Nearby' feature that apparently expose users location online and in real time.

This could enable anyone to locate other Telegram users' exact location.

While the Telegram feature only shows the distance between one user to other users, it’s not at all difficult to get more exact location data.

Ahmed showed that Telegram users can use a dedicated GPS spoofing device, root their phone to be able to spoof their location, or even walk around to triangulate positions. After that, it’s just a matter of entering the coordinates in a mapping tool to get the exact location of a target.

You’re effectively “publishing your home address online,” Ahmed said.

Telegram, People Nearby
Telegram's People Nearby feature shows the distance between the user and others nearby. (Credit: Ahmed)

In a blog post, Ahmed wrote that:

"A few years ago, while using the Line app, I noticed a feature called 'People nearby.' The feature lets you connect with other Line users within the same area. The feature would give you the exact distance from you to the other users. If someone spoofs their latitude, longitude, they can triangulate a user and find their location. I reported an issue in the Line app, and They paid me $1000 for it. They fixed it by adding a random number to the user's destination.

"A few days ago, I installed Telegram, and I noticed that they have the same feature. "

Ahmed reported this to Telegram, but he was then told that it is not an issue.

"Thanks for reaching us out. Users in the People Nearby section intentionally share their location, and this feature is disabled by default. It's expected that determining the exact location is possible under certain conditions," Telegram wrote in a reply to Ahmed.

Telegram also said that the case "is not covered by our bug bounty program."

So in this case, Telegram reportedly isn’t worried about the privacy implications, simply because 'People Nearby' users are “intentionally” sharing their locations.

In other words, if users' location is shared, it's because of the users doing, and not Telegram's.

While users may not have to worry about inadvertently sharing their whereabouts. But still, Telegram’s location feature could create serious privacy problems for those users who are unaware of how it works.

If it's turned on and users forgot to turn it off, for example, the feature could be used to harass or stalk people who only think they’re sharing relative distances.

Telegram, People Nearby
Using a method called triangulation, malicious actors can invade someone else's privacy by locating target's exact location. (Credit: Ahmed)

In the world where people use smartphones that are online 24/7, data is transferred even behind their backs.

Founded by Russian entrepreneur Pavel Durov, Telegram is a privacy-focused messaging app used by millions of people around the world. One of its main advantages, is its appeal of offering privacy features that not many in the competition have. And here, the 'People Nearby' can be exploited to reveal the location of other users without much difficulty.

It's easy to guess how this could be used by scammers or other adversaries to their advantage.

Because of this, Telegram users who concern about privacy may consider to never turn on 'People Nearby' if they're worried about someone who might track them down, even if the likelihood of someone exploiting this feature isn’t particularly high.

"Telegram poor application security can be reflected with the number of scammers they have within that feature. Telegram allows users to create local groups within a geographical area. Many scammers spoof their location and try to sell fake bitcoin investments, hacking tools, SSNs that are used for unemployment fraud, and so on. The amount of illegal activities I saw there make the Silkroad look like amateurs ran it," Ahmed said.

"If you use this feature, please make sure to disable it. Unless you want your location to be accessible by everyone," Ahmed said.