Telegram users on Android and iOS can have their real IP address exposed simply by tapping a specially crafted link, according to recent security research. The attack abuses the way Telegram handles MTProto proxy configuration links and does not require any further confirmation or interaction from the victim.
How Telegram MTProto Proxy Links Can Leak Your Real IP
Telegram supports MTProto proxies, which are commonly used to bypass censorship and local restrictions. These proxies can be configured via special URLs in the format t.me/proxy?server=…&port=…&secret=…. When a user opens such a link, the Telegram client extracts the parameters and offers to add the proxy to the app’s settings, making configuration quick and convenient.
Analysis of the Android and iOS clients shows that, before any dialog is shown, Telegram automatically initiates a test connection to the specified MTProto proxy server. This background request is sent directly from the user’s device, using their real IP address. As a result, the proxy operator – or an attacker controlling the proxy – immediately learns the user’s IP, even if the user cancels the proxy setup.
Abusing t.me/proxy Links Disguised as Usernames or Profiles
The risk is amplified by the ability to disguise a proxy link as a normal Telegram username or profile reference. In the interface, a user may see a clickable string such as @example, but the underlying URL actually points to t.me/proxy?… rather than a standard profile or channel link.
Once the victim taps this seemingly harmless mention, Telegram silently connects to the attacker-controlled MTProto server as part of its availability check. At that moment, the attacker receives the victim’s source IP address and associated network metadata (such as ISP and approximate region via standard IP geolocation). One tap on a malicious link is enough to cause the IP leak, regardless of whether the proxy is ever saved or used.
Why an IP Address Leak in Telegram Is a Serious Privacy Risk
An IP address is not a full identity, but in modern threat models it is a critical piece of metadata. Combined with other information, it can significantly weaken a user’s anonymity and operational security.
1. Geolocation and tracking. Commercial IP geolocation databases can typically identify a user’s country and region, and often the city, with reasonable accuracy. For journalists, activists, opposition figures, whistleblowers, and other high‑risk groups, disclosure of approximate location can be highly sensitive and, in some environments, dangerous.
2. Network‑level attacks. Knowing a user’s IP makes it easier to launch denial‑of‑service (DDoS) or other network‑based attacks. This can disrupt a user’s connectivity, target home routers, or impact corporate networks if the connection originates from an office environment.
3. Deanonymization and correlation. IP addresses are often used alongside timestamps, device fingerprints, and account activity patterns to correlate multiple online identities. This sort of cross‑platform correlation is a common technique in investigations and surveillance operations and can ultimately be used to map pseudonymous accounts to real individuals.
Because Telegram is widely perceived as a privacy‑focused messenger, implicit background connections without explicit user consent are particularly problematic. Users who rely on Telegram under conditions of censorship or pressure may reasonably expect that a simple tap on a link will not silently expose their network identity to third parties.
Who Reported the Telegram IP Leak and How the Company Responded
The unusual behavior of proxy links was first highlighted by members of the Telegram channel chekist42. The issue was later examined in more detail by other researchers, including a specialist known as 0x6rss, who published a video proof‑of‑concept demonstrating the IP leak in practice.
In comments to BleepingComputer, Telegram representatives noted that website and proxy operators inherently see the real IP addresses of incoming connections, and this is not unique to Telegram. They compared the model to typical behavior of other messaging services and web platforms where servers naturally observe client IPs.
At the same time, Telegram acknowledged the need for greater transparency and committed to adding a warning when users open proxy configuration links. This warning is intended to make users more aware of what kind of resource they are interacting with. No specific rollout timeline has been disclosed so far.
Security Recommendations for Telegram Users Concerned About IP Exposure
Given the described attack vector, users – especially those in high‑risk categories – should take additional precautions when interacting with Telegram links and proxies:
1. Treat unexpected links with suspicion. Be cautious of any URL received in private messages, groups, or channels, particularly if it comes from unknown contacts or newly created channels, or if it is shortened or visually disguised as a username or mention.
2. Inspect the actual URL before tapping. If possible, check whether a link points to t.me/proxy instead of a standard t.me/username or t.me/channel. A proxy link means you are effectively initiating a connection to a third‑party server, not just opening a profile.
3. Use a reputable VPN or Tor for sensitive activity. Routing Telegram traffic through a trustworthy VPN service or anonymity network like Tor helps prevent direct exposure of your home or office IP address to unknown MTProto proxy servers and other third‑party infrastructure.
4. Limit reliance on random third‑party proxies. Where possible, prefer official access mechanisms or proxies operated by trusted organizations. Avoid anonymous configurations distributed through open forums, public lists, or unverified channels.
Telegram’s MTProto proxy IP leak underlines how convenience features such as one‑click proxy configuration can become an attack surface when their internal logic is not fully transparent to users. Careful link hygiene, layered network protections, and a clear understanding of how messenger clients interact with external infrastructure remain essential for anyone who depends on Telegram – or any platform – for private and secure communication.
