Damn
The first and only security bug I could actually have found myself, and I missed it..
Telegram has paid out a €2,000 bounty to a researcher who uncovered a vulnerability that caused the messaging app to expose users' IP addresses. The programming blunder has been fixed in the latest version. Dhiraj Mishra took credit for the discovery and reporting of CVE-2018-17780, a vulnerability in the Windows and tdesktop …
In other breaking news, it's been discovered that when you phone someone, you know their number.
Obviously in a p2p call you're going to know the other persons IP address - logging or no logging.
What difference does it make to security that I know who I'm calling, as long as the end-to-end encryption is sound?
What legitimate use is there to hide the recpients address? so a newspaper can call back an anonymous source? Even so, it's a false sense of security - you're just moving the vulnerability to the servers of those nice telegram people who you can bet your life the five eyes are watching...
If one machine is compromised - e.g. by some countries "law enforcement"/secret service grabbing said machine then they have a list of addresses maybe you didn't want them to have, which say if you are a gay person/political activist in some countries you may prefer those in charge not to be able to chase your friends.
So, if I phone a fellow activist, and their phone is confiscated, then the authorities can get my IP.. Ok, that makes sense, but if things were that dicey, I wouldn't trust my IP to a third party either.
Seeing that the number you are calling - not the one you are calling from - is the one revealed, it could be worse.
Oh well, glad they've fixed it anyway. Guess I'll never make a good spy (or is that what I would say?)
if you were running on windows, or from your own source build, it is likely you could monitor incoming and outgoing communications to see the IP address of another party in P2P communications. If you are running that app in an unrooted phone, then it might be more difficult to download a traffic monitor to let you monitor endpoints of p2p communication. Even so, having the app store the remote-endpoint in a local log makes it all too easy to see the remote IP, which is the main security flaw. Given enough resources, of course, someone has to know the remote IP whether you go P2P or through the server. It really becomes matter of how easy it is to use in a short amount of time -- as is true for most security options, quantum ones aside.
"If you are running that app in an unrooted phone, then it might be more difficult to download a traffic monitor to let you monitor endpoints of p2p communication"
Because its oh so difficult to connect the unrooted phone to a wifi hotspot and see the traffic flows there ?
This post has been deleted by its author