Disclosure of telephone number and geolocation through vulnerability in Telegram

Recently, Telegram has been increasingly discussing the topic of breaking through people and leaking personal data. I was wondering how much the Telegram ecosystem itself is resistant to such leaks.

Under the cut is the story of how I found a bug in Telegram. The bug allows you to mislead the user, and push him to unknowingly share his data - geolocation and phone number.

Here's how it works:


System complexity has always been an enemy of security.

Telegram has grown, has ceased to be just a messenger, and has grown to a large media platform with rich functionality. The Telegram Bot API stands out as a separate house, allowing you to build entire applications inside the messenger - the so-called bots.

Most likely, everyone who tried to create their own bot already knows that the user can be sent a request for his phone number using a special button.

The text on this button can be set to any. Moreover, the bot can use the same buttons for other interactions:



After clicking on the button, the user will of course be shown a warning that his contact will now be sent to the bot:



This message speaks quite clearly about the risk of deanonymization, and warns the thoughtful user from actions dangerous to him.

Going through the API updates, I remembered that at some point Telegram gave users the opportunity to make their own localization of the messenger. There were examples when localization was used for comic alterations of the interface. At that moment, the same thought occurred to me that you might now:

But what if you try to "comically translate" a dialog box warning the user about transferring the phone number to the bot, replacing its text?



At first, I thought that getting a user to install an extraneous xml file localization into the application would be much more difficult than just convincing to click on Share contact. Indeed, just like that, using an xml file, Telegram offered to distribute its localizations among interlocutors.

So I thought, until I came across the setlanguage link handler in the android application source code .



Exactly what is needed!

It turned out that Telegram had long ago made a translation platform, translations.telegram.org, accessible to all Telegram users, and now there is no need to transfer any xml files.



Just click on the link t.me/setlanguage/%lang%, after which the user will see a dialog box asking you to install a new language. And this window is much less intimidating than a message about a phone number request:

How it works?

Register at translations.telegram.org .

We add our language, translate the necessary interface elements and a couple of others .

In localization, you can write anything you want. We will write a harmless text instead of a terrible warning about sharing geolocation and phone number. We do the same for the other platforms.

Our poisonous language is ready. It remains to slip it to the user.



I still could not find a way to find out if the user installed the localization offered to him. There were no language statistics on translations.telegram.org, nor changes in the user profile. Bot api allows you to find out the user's language through the language_code parameter, but its value is taken from the system settings. Changing the language in the application does not affect the parameter.

Well, then just add a little delay after the message with a link to the language. After choosing a language, we suggest the user to familiarize themselves with the bot menu. When you click OK in this dialog box, the number leaks to the bot with a message, and the bot deletes this message immediately. If the bot uses webhook to receive updates, the message is deleted faster and the user may not understand that he just sent his contact.

By the way, similarly to a contact request, a bot can ask a user to share his geolocation. Yes, and this dialog box can also be “translated”.

How to fix

Obviously, you should not allow users to translate absolutely the entire interface without moderation. By the way, translation moderation is enabled for, for example, this dialog box translations.telegram.org/rutech/ios/unsorted/AuthCode.Alert . The need for moderation is reported to us by the Critical label.



It turns out that here is such a small omission as the absence of a Critical label for dialogs about sharing numbers and geolocation lead to a leak. A leak of very sensitive data, as for a messenger building its marketing around privacy / security.

A messenger tied to your personal phone number, by definition, cannot be private. It can only increase the cost of revealing your identity.

This vulnerability fell into the bug bounty telegram program and was rated at 100 €.

PS

Come to us at Telegram chat @secinfosec . There we share our experience and discuss everything related to information security: a bounty bug, pentests, paper and practical security, new threats and methods of dealing with them.