A stealthy flaw in Telegram’s cell purchasers that lets attackers unmask customers’ actual IP addresses with a single click on, even these hiding behind proxies. Dubbed a “one-click IP leak,” the vulnerability turns seemingly innocuous username hyperlinks into potent monitoring weapons.
The problem hinges on Telegram’s computerized proxy validation mechanism. When customers encounter a disguised proxy hyperlink, typically embedded behind a username (e.g., t.me/proxy?server=attacker-controlled), the app pings the proxy server earlier than including it.
Crucially, this ping bypasses all user-configured proxies, routing instantly from the sufferer’s gadget and exposing their true IP. No secret secret is required, mirroring NTLM hash leaks on Home windows, the place authentication makes an attempt betray the consumer.
Cybersecurity skilled @0x6rss demonstrated an assault vector on X (previously Twitter) and shared a proof-of-concept: a 1-click Telegram IP Leak. “Telegram auto-pings the proxy earlier than including it,” they famous. “Request bypasses all configured proxies. Your actual IP is logged immediately.”
ONE-CLICK TELEGRAM IP ADDRESS LEAK!On this problem, the key secret is irrelevant. Similar to NTLM hash leaks on Home windows, Telegram mechanically makes an attempt to check the proxy. Right here, the key key doesn’t matter and the IP handle is uncovered.Instance of a hyperlink hidden behind a… pic.twitter.com/NJLOD6aQiJ— 0x6rss (@0x6rss) January 10, 2026
How the Assault Unfolds
Attackers craft malicious proxy URLs and masks them as clickable usernames in chats or channels. A focused person clicks as soon as, triggering:
Automated proxy take a look at: Telegram sends a connectivity probe to the attacker’s server.
Proxy bypass: The request ignores SOCKS5, MTProto, or VPN setups, utilizing the gadget’s native community stack.
IP logging: Attacker’s server captures the supply IP, geolocation, and metadata.
Each Android and iOS purchasers are susceptible, affecting hundreds of thousands who depend on Telegram for privacy-sensitive communications. No person interplay past the press is required; it’s silent and efficient for doxxing, surveillance, or deanonymizing activists.
This flaw underscores dangers in proxy-heavy apps amid rising state-sponsored monitoring. Telegram, with over 950 million customers, has but to publicly patch it. Related bypasses have plagued apps like Sign prior to now.
Mitigations:
Disable auto-proxy detection in settings (if accessible).
Keep away from clicking on unknown usernames/hyperlinks.
Use firewall guidelines to dam outbound proxy pings (e.g., through Little Snitch on iOS or AFWall+ on Android).
Monitor for patches through Telegram’s changelog.
Researchers urge rapid fixes. Telegram didn’t reply to requests for remark by press time.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
