Security experts have discovered an issue in Telegram where clicking a disguised username link can instantly reveal your real IP address. Even if you use a proxy or VPN, this ‘one-click’ leak bypasses your settings. Learn how this affects Android and iOS users and what you can do to stay safe.
A new security discovery is causing chaos among Telegram’s 1 billion monthly users. It turns out that a simple click on a colleague’s or friend’s username might be doing more than just opening a chat; it could be handing over your real-world location data to a stranger.
This issue was first brought to light by a researcher known as @0x6rss on X.com and later confirmed by security expert Saurabh on LinkedIn. As per their investigation, the glitch is surprisingly easy to pull off, affecting both Android and iPhone users alike.
The Hidden Trap in Your DMs
Many of us use Telegram because it feels safer than other apps. The platform even includes a built-in tool called MTProxy, which is meant to help people in countries with heavy censorship bypass blocks and hide their internet traffic. However, the research group GangExposed RU found that hackers can disguise a special link, known as a “tg://proxy” link, to look exactly like a normal Telegram username (e.g., @durov).
Here is the catch: when you click that name, Telegram automatically pings a server to check if it’s working. This check happens using your phone’s direct internet connection, completely ignoring any privacy settings or VPNs you have turned on. In an instant, the person on the other side can see your real IP address, which reveals your city, service provider, and general location.
Why This is Catching People Off Guard
The secret keys usually required for secure connections are totally irrelevant here because the mere act of clicking is the trigger. Some experts have compared this to a famous security flaw in Windows, where a computer accidentally gives away information just by trying to connect to a network.
Because these links look like regular internal parts of the app, they don’t set off any red flags. A user might think they are just looking at a profile, but they are actually sending their digital home address to a server controlled by an attacker.
Telegram’s Response
Telegram has since clarified that while they believe this is how internet links naturally work, they are going to add a warning pop-up. This way, if you click a disguised link, you’ll get a heads-up before your info is shared.
“Any website or proxy owner can see the IPs of those who access it regardless of platform. This is no more relevant to Telegram than WhatsApp or any other web service. Still, we’re adding a warning that will show when clicking proxy links so users can be aware of disguised links.”
Telegram
Until that update rolls out, it’s best to be cautious. Avoid clicking on usernames from people you don’t know in large public groups. If you want to be extra safe, you can use a separate VPN app on your phone rather than relying on the one built into Telegram, as this covers all your phone’s outgoing pings.