Telegram Flaw Allows Hackers to Track Users' Location

A report published by cybersecurity researcher Ahmed Hassan notes that the "People Nearby" feature, which allows Telegram users to see who is in nearby locations, can be exploited by threat actors to triangulate the location of unsuspecting users.

Although the feature is disabled by default, users who enable it are unaware that doing so could reveal their location with a high degree of precision.

This feature lists Telegram users within a radius of approximately 2.5 kilometers. According to the expert, it is possible to spoof a user's location by calculating the distance between three different points and pinpointing the exact location of the target user.

All that malicious hackers need to spoof a location is to walk around the target area, collect its latitude and longitude, and determine how far away the target user is.

Hassan also notes that it is possible to complete the attack using a GPS spoofing tool: "Any app available on the Play Store works for the attack; attackers only need to install apps like GPS Spoof and create three locations near the user within an 11-kilometer radius."

Using these three locations, threat actors could use tools like Google Earth Pro to connect the spoofed locations and calculate the midpoint between the three: "I successfully tested the attack against an app user," the researcher states.

In response, Telegram stated that this is not considered a bug, and the report was rejected: "The feature is disabled by default; while it is possible to determine a user's location under specific conditions, this report is not covered by our vulnerability rewards program."

To prevent this from happening again, the company could round user locations to the nearest mile to avoid sending precise locations. Additionally, Hassan recommends adding random noise to the feature, similar to what Tinder did when an identical issue was reported on that platform.

[Cybersecurity Analyst Course](https://cobracr.com/product/cyber1/)