The free popular messenger service Telegram can leak your IP address if you merely add a hacker to your contacts and then accept a phone call from them.

Security researcher Denis Simonov, who is also known by his alias n0a, pointed out the issue and wrote a simple tool to exploit it. TechCrunch verified the research by adding Simonov into the contacts of a new Telegram account. Simonov then called the account and, after a few seconds, gave TechCrunch the IP address of the computer where the experiment was performed.

But even with 700 million users globally, Telegram has always pitched as "secure" and "private", even though experts have continued warning that Telegram is not more secure than end-to-end encrypted messaging app Signal, for example.

The fact that Telegram leaks your IP address to people in your contacts during a voice call has been known for years, but it’s likely that new, less technical users may not be aware.

Simonov, who works for cybersecurity firm T.Hunter, said: "Telegram focuses on security and privacy, but in order to be safe, you need to know the nuances of how the messenger's voice calls work."

"An unprepared person can easily reveal his IP address to his interlocutor if he does not know about them," Simonov said.

The reason Telegram exposes a user's IP addresses during calls is that, by default, the service uses a peer-to-peer connection between callers "for better quality and reduced latency," Telegram spokesperson Remi Vaughn

The downside of this is that it necessitates that both sides know the IP address of the other (since it is a direct connection). Unlike on other messengers, calls from those who are not your contact list will be routed through Telegram's servers to obscure that," Vaughn said.

To avoid leaking your IP address, you have to go to Telegram's Settings > Privacy and Security > Calls and then select "Never" in the Peer-to-Peer menu, as shown below.

Other messaging and calling apps had also been found to leak their IP addresses. In 2017, a researcher discovered that in some ways, WhatsApp was allowing hackers to find a user's IP address by leaking metadata. In August, 404 Media reported that hackers could identify the IP address of the person on Skype with no interactions.

Microsoft at the time claimed it would patch the vulnerability. However, Telegram clearly believes this is just how the app should function.