- Researchers found a flaw with Telegram that can expose user IP addresses
- The one-click vulnerability exploits the app’s automatic proxy checking
- The bug “bypasses all configured proxies” within the app, including VPNs
Security researchers have uncovered a new one-click vulnerability that forces the Telegram mobile app to leak your real IP address. Even using the best VPN apps might not be enough to stop it if your settings aren’t watertight.
The flaw, identified by security researcher 0x6rss, affects both Android and iOS versions of the app. It revolves around how Telegram handles proxy settings, a feature often used by people in restrictive regions to bypass censorship.
By disguising a malicious proxy link as a harmless username or website URL, attackers can trick the app into “pinging” a server they control. This connection happens automatically and, critically, occurs outside of the encrypted tunnel users rely on to stay anonymous.
How Telegram’s ‘one-click’ leak works
The vulnerability is triggered the moment a user clicks a specially crafted t.me link. While these links can look like standard user profiles, they actually point to a proxy configuration. When clicked, Telegram attempts to verify the quality of the proxy connection by sending a test request (a “ping”) to the server.
The researcher found that this specific request “bypasses all configured proxies” and tunnels within the app. As a result, the connection is made via the device’s native network stack, directly from the user’s device, instantly logging their real IP address on the attacker’s server.
ONE-CLICK TELEGRAM IP ADDRESS LEAK!In this issue, the secret key is irrelevant. Just like NTLM hash leaks on Windows, Telegram automatically attempts to test the proxy. Here, the secret key does not matter and the IP address is exposed.Example of a link hidden behind a… https://t.co/KTABAiuGYI pic.twitter.com/NJLOD6aQiJJanuary 10, 2026
The proof-of-concept code is now publicly available on GitHub.
What makes this particularly dangerous is the “one-click” nature of the exploit. There is no second confirmation screen or warning before the ping is sent. Once the link is tapped, the damage is done.
For activists, journalists, and whistleblowers who rely on Telegram for anonymity, this exposes their approximate physical location and ISP details to potential bad actors.
Can a VPN protect you?
The researcher noted that the request “bypasses all configured proxies,” ignoring active SOCKS5, MTProto, or VPN setups specifically configured within the Telegram app settings.
Because the app initiates this specific connection request directly through the device’s network interface, it can potentially leak data even when protective tools are active.
While a system-wide VPN with a strict kill switch should theoretically catch this traffic, the specific behavior of this flaw creates a significant risk that traffic could slip through the net, particularly if the user relies on split-tunneling features.
Telegram’s response
Telegram has historically downplayed similar findings, often stating that “any website or proxy owner can see the IPs” of visitors, framing it as a standard function of how the internet works.
However, following scrutiny over this specific bypass, the company told Bleeping Computer that it intends to address the user interface aspect of the flaw.
Telegram is expected to add a warning prompt to these specific links in a future update, allowing users to spot disguised proxies and decline the connection before the automatic ping is sent.
What you can do
Until Telegram releases a patch to fix this automatic pinging behavior, users are advised to be extremely cautious when clicking links from unknown sources, even if they appear to be internal Telegram usernames.
- Avoid clicking t.me links from strangers or in public channels.
- Check link previews carefully before tapping.
- Ensure your system-wide VPN is active and configured to block all non-VPN traffic (Kill Switch enabled) rather than relying solely on Telegram’s internal proxy settings.
Telegram has yet to issue a formal date for this fix, but as scrutiny mounts, a security update is likely on the horizon. For now, the safest course of action is to treat every link with suspicion.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
https://cdn.mos.cms.futurecdn.net/Zcpy2igVUaP9YqtCiCVXaE-1920-80.jpg
Source link
