Telegram is a communication application that allows the creation of encrypted chat rooms and encrypted calls via the internet. It calls itself a secure and private application, but one researcher takes the opposite view. It states that with the default settings, the application reveals the IP address of the users when they start a call.
This is caused by the Telegram's default setting, to make calls using P2P (point to point). When P2P is used to make a call, the IP of the dial-in user is displayed in the application's console logs. However, the console log does not exist in all applications. The version of Windows does not have a console log while the version Linux he's got.
The Telegram application gives users the option to disable p2p for their calls by changing the setting through the application's settings, Settings -> Private and Security -> Voice Calls -> Peer-To-Peer, and changing it to Never or Nobody. By changing this setting, all calls will be executed via the Telegram server, which although it hides the IP, may alter the sound quality.
The problem, however, is in the desktop version of the app, as the app does not have the corresponding configuration in the Android version, and can not be changed. This means that IP leakage at the beginning of each call is inevitable for this release.
The security researcher Dhiraj, who also made the discovery, informed the Telegram and published a proof of concept video showing that 3 shows different IP addresses during the call. The first is the Telegram server IP, the second is the user making the call, and the third is the IP of the called user. The Telegram gave Dhiraj 2.000 euros for his finding, and he declared vulnerability with the code CVE-2018-17780.