Hidden Telegram Proxy Links Can Reveal Your IP Address in One Click

Telegram’s proxy links were introduced as a quick way to configure MTProto proxies, allowing users in censored regions to bypass network blocks without manual settings. By clicking a t.me/proxy URL, the app extracts the server address, port and secret, then prompts the user to add the proxy. This convenience has made proxy links popular among activists, journalists, and privacy‑conscious users who need to mask their location while communicating.

The newly disclosed flaw stems from the client’s automatic test connection. When a proxy link is opened, Telegram initiates a direct network request to the supplied server before the proxy is officially added, bypassing any existing privacy layers. An attacker who hosts a malicious MTProto proxy can embed such a link in a seemingly innocuous username or message; a single tap logs the victim’s real IP address. The harvested IP can be used for geolocation, profiling, denial‑of‑service attacks, or further targeted phishing, effectively nullifying the anonymity the feature promises.

Telegram’s response is to add a warning banner when users click proxy links, but the company argues the exposure is no different from visiting any website. While the warning may reduce accidental clicks, the underlying auto‑ping behavior remains a design weakness. Users should verify proxy URLs before tapping, avoid unknown links, and consider disabling automatic proxy testing where possible. The incident serves as a reminder that convenience features in messaging apps can introduce privacy trade‑offs, prompting developers to reassess default network behaviors for security‑focused audiences.