Critical One-Click IP Leak in Telegram Exposed

The “One-Click Telegram IP leak” vulnerability has emerged as a serious privacy oversight, allowing threat actors to deanonymize users instantly. Security researchers discovered that the platform’s automatic verification of proxy servers can be weaponized to trigger a silent network connection.

Why Is This Vulnerability a Major Concern?

For a platform built on the reputation of secure and private communication, this “silent handshake” mechanism represents a critical weakness. It transforms a standard connectivity check into a potential tracking vector.

Within Cyber Threat Intelligence workflows, Telegram functions as more than a messaging application. It serves as a primary source for threat actor communications, a distribution channel for leaked data, and a routine monitoring environment for security researchers. In this context, anonymity is not optional. It is a prerequisite for safe analysis.

How Does the Telegram Proxy Vulnerability Work?

The core of the issue lies in the automated “health check” mechanism within the Telegram client on both Android and iOS.

When a user taps on a proxy configuration link (e.g., t.me/proxy?…), the app attempts to verify if the proxy server is online.

• The Trigger: This verification happens immediately, before the user confirms they actually want to use the proxy.
• The Leak: To perform this check, the app establishes a direct TCP connection to the server defined in the link.
• The Result: If an attacker controls that server, they instantly capture the user’s public IP address from the incoming connection request.

This process is comparable to NTLM hash leaks in Windows environments, where a system is tricked into authenticating with a rogue server, silently betraying the user’s presence.

How Do Attackers Disguise Malicious Proxy Links?

The real danger of this vulnerability is not just technical, but psychological. Attackers leverage Social Engineering to mask the trap.

Because Telegram allows rich text formatting, a threat actor can hide a malicious proxy link behind deceptive text. A link that technically points to t.me/proxy?server=attacker_ip can be visually formatted to look like:

• A trusted news source
• A harmless user profile
• A link to a popular website

Since the app currently does not display a warning pop-up before the background check occurs, a user has no way of knowing their IP is being transmitted until it is too late.

Has Telegram Patched the IP Leak Vulnerability?

Currently, the behavior is still present, but changes are incoming.

When confronted with the findings, Telegram initially stated that this is standard internet behavior – similar to how visiting a website reveals your IP to the webmaster. However, acknowledging the privacy risks for their specific user base, the platform has committed to an update.

The Fix: Telegram plans to introduce a confirmation warning. Future versions of the app will prompt the user for permission before initiating the connection check to a proxy server, effectively neutralizing the “silent” aspect of the exploit.

How Can Users Protect Their Identity on Telegram?

Until the official patch with the warning prompt is deployed, users must take proactive steps to secure their anonymity:

1. Use a VPN: Never rely solely on the application’s internal masking. Running a reputable system-wide VPN ensures that even if a proxy link triggers a connection, the attacker sees the VPN’s IP address, not your real one.
2. Inspect Links Carefully: Be skeptical of hyperlinks sent by unknown accounts. On mobile, long-press the link to preview the raw URL. If it contains t.me/proxy, do not open it.
3. Isolate Research Activities: For sensitive investigations, use dedicated devices or virtual machines (VMs) that are not linked to your primary identity or infrastructure.