Telegram’s new “People Nearby” feature shows a list of other nearby users and their approximate proximity to you, letting you create group chats based on geographic location. The feature is turned off by default and must be manually enabled by the user, but it’s an idiosyncratic addition for an app that markets itself as a private, end-to-end encrypted messaging service—and according to security researcher Ahmed Hassan, it’s a major security risk.
Users can fake their geographic location in Telegram, opening them up to potential scams. “Many scammers spoof their location and try to sell fake bitcoin investments, hacking tools, SSNs that are used for unemployment fraud, and so on. The amount of illegal activities I saw there make the Silkroad look like amateurs ran it,” Hassan explained in a recent blog post.
Even worse, Hassan identified a flaw in the People Nearby feature that could let bad actors triangulate the exact location of other app-users by using two accounts with fake addresses.
This opens users up to hacks, stalking, or worse—and Telegram as announced no plans to fix the problem. Hassan reported the vulnerability to Telegram, but the company says it won’t be patched. In fact, Telegram told Hassan that discovering a user’s specific location is an “expected” outcome of the People Nearby feature in certain cases. The response feels out of character for an encrypted messaging app that sells itself on its privacy features. Even adding a more detailed warning that other users could find your precise location would be helpful, but it doesn’t look like that will happen either.
To be fair, Telegram is generally more secure than other chatting apps, and since People Nearby is turned off by default, this may not seem like a serious issue. However, users could inadvertently turn the feature on, thinking they’re simply broadcasting their general proximity to someone else, and not their exact location. If you value your privacy, don’t use Telegram’s People Nearby feature.