Telegram Mobile Apps May Expose IP Address via Quick Proxy Setup Links

A security researcher discovered that Telegram's mobile apps do not warn users about potential IP exposure when clicking quick proxy setup links. While not a major danger for average users, this is undesirable for those concerned about being surveilled.

The Core Issue

Typically, clicking an external link or unsafe file triggers a warning pop-up. However, clicking a quick proxy setup link is handled differently: the app immediately attempts to connect to the server to check its availability, bypassing the warning entirely.

An attacker can disguise such a link as a username or another hyperlink. The moment it is clicked, the app sends a request to the server controlled by the attacker, thereby revealing the user's IP address.

• The issue affects only Android and iOS clients.
• The @tginfo team independently confirmed that Telegram Desktop, macOS, Telegram X, and Web versions handle these links safely and do not automatically connect to proxy servers.

The Risk is Low

It is important to note that for most users, this problem is not critical. An IP address usually only reveals an approximate location (city level), and many users have dynamic IPs.

Similar flaws, such as EvilLoader, have been fixed by the Telegram team in the past. We believe developers may disable the automatic check for proxies opened from formatted links in upcoming updates.

For those whom IP privacy is critical, we recommend using a system-wide VPN. This is the only reliable way to prevent IP leaks across apps.

#security