Telegram Proxy Flaw Puts User IPs at Risk

A newly discovered vulnerability in Telegram’s built-in proxy feature allows attackers to uncover users’ real IP addresses with just one click. This issue affects both Android and iOS users and raises major privacy concerns for activists, whistleblowers, and anyone relying on Telegram to protect their online identity. Security experts warn that a single tap on what appears to be a username mention could expose sensitive location data.

How the MTProxy Feature Works

Telegram offers MTProxy, a tool designed to bypass internet censorship in countries where access to the app is restricted. The proxy masks the user’s real IP address and encrypts traffic to ensure secure communications. This feature has long been praised by privacy advocates and users in restrictive regions for its ability to obfuscate online activity.

Exploiting the Vulnerability

Researchers have discovered that attackers can exploit MTProxy to leak IP addresses. By setting up a fake proxy server and creating disguised links, malicious actors can trick users into connecting through their real IP. The link can appear identical to a regular username mention, making it nearly impossible for users to detect the threat before clicking.

Proof of Concept Already Public

The vulnerability was revealed by security researcher Saurabh on LinkedIn, and the proof-of-concept code is already available on GitHub. According to the researcher, when a Telegram user clicks a tg://proxy link, the app initially connects using the real internet connection before activating the configured proxy. This misstep allows the attacker to capture the user’s IP address instantly.

Widespread Privacy Implications

Experts warn that this flaw could impact a wide range of users who prioritize online anonymity. Individuals relying on Telegram to avoid tracking, share sensitive information, or bypass censorship are particularly at risk. The simplicity of the attack—requiring only a single click—underscores the urgency for users to stay cautious.

Steps Users Can Take Now

While Telegram has not yet issued a formal fix, users can protect themselves by avoiding unknown tg://proxy links and limiting interactions with unfamiliar contacts in chats and channels. Security-conscious users may also consider temporary workarounds, such as using a trusted VPN alongside Telegram until an official patch is released.

Urgency for Telegram

This vulnerability highlights the importance of continuous security audits for privacy-focused apps. With malicious actors capable of capturing IPs without sophisticated tools, Telegram faces pressure to address this flaw promptly. Experts recommend that the company release an immediate update to ensure MTProxy cannot be exploited in this manner.