Telegram Exposes Real Users IP Addresses, Bypassing Proxies On Android And IOS In 1-click

A stealthy flaw in Telegram’s mobile clients that lets attackers unmask users’ real IP addresses with a single click, even those hiding behind proxies. Dubbed a “one-click IP leak,” the vulnerability turns seemingly innocuous username links into potent tracking weapons.

The issue hinges on Telegram’s automatic proxy validation mechanism. When users encounter a disguised proxy link, often embedded behind a username (e.g., t.me/proxy?server=attacker-controlled), the app pings the proxy server before adding it.

Crucially, this ping bypasses all user-configured proxies, routing directly from the victim’s device and exposing their true IP. No secret key is required, mirroring NTLM hash leaks on Windows, where authentication attempts betray the client.

Cybersecurity expert @0x6rss demonstrated an attack vector on X (formerly Twitter) and shared a proof-of-concept: a 1-click Telegram IP Leak. “Telegram auto-pings the proxy before adding it,” they noted. “Request bypasses all configured proxies. Your real IP is logged instantly.”

ONE-CLICK TELEGRAM IP ADDRESS LEAK!

In this issue, the secret key is irrelevant. Just like NTLM hash leaks on Windows, Telegram automatically attempts to test the proxy. Here, the secret key does not matter and the IP address is exposed.
Example of a link hidden behind a… https://t.co/KTABAiuGYI pic.twitter.com/NJLOD6aQiJ

— 0x6rss (@0x6rss) January 10, 2026

How the Attack Unfolds

Attackers craft malicious proxy URLs and mask them as clickable usernames in chats or channels. A targeted user clicks once, triggering:

Automatic proxy test: Telegram sends a connectivity probe to the attacker’s server.
Proxy bypass: The request ignores SOCKS5, MTProto, or VPN setups, using the device’s native network stack.
IP logging: Attacker’s server captures the source IP, geolocation, and metadata.

Both Android and iOS clients are vulnerable, affecting millions who rely on Telegram for privacy-sensitive communications. No user interaction beyond the click is needed; it’s silent and effective for doxxing, surveillance, or deanonymizing activists.

google

This flaw underscores risks in proxy-heavy apps amid rising state-sponsored tracking. Telegram, with over 950 million users, has yet to publicly patch it. Similar bypasses have plagued apps like Signal in the past.

Mitigations:

Disable auto-proxy detection in settings (if available).
Avoid clicking on unknown usernames/links.
Use firewall rules to block outbound proxy pings (e.g., via Little Snitch on iOS or AFWall+ on Android).
Monitor for patches via Telegram’s changelog.

Researchers urge immediate fixes. Telegram did not respond to requests for comment by press time.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

googlenews

Source link

Search

How the Attack Unfolds

Latest Posts