- Researchers found a flaw in Telegram that can expose users’ IP addresses
- One-Click Vulnerability Exploits App’s Automatic Proxy Verification
- “Bypasses all configured proxy servers” error within the app, including VPNs
Security researchers have discovered a new one-click vulnerability that forces the Telegram mobile app to leak your real IP address. Even using the best VPN apps might not be enough to stop you if your settings are not airtight.
The flaw, identified by security researcher 0x6rss, affects the Android and iOS versions of the app. It revolves around how Telegram handles proxy settings, a feature often used by people in restrictive regions to avoid censorship.
By disguising a malicious proxy link as a harmless username or website URL, attackers can trick the application into “pinging” a server they control. This connection occurs automatically and, more importantly, occurs outside of the encrypted tunnel that users rely on to remain anonymous.
How Telegram’s ‘one-click’ leak works
The vulnerability is triggered the moment a user clicks on a specially crafted t.me link. While these links may look like standard user profiles, they actually point to a proxy setup. When clicked, Telegram attempts to verify the quality of the proxy connection by sending a test request (a “ping”) to the server.
The researcher discovered that this specific request “bypasses all configured proxies” and tunnels within the application. As a result, the connection is made through the device’s native networking stack, directly from the user’s device, instantly registering its real IP address on the attacker’s server.
TELEGRAM IP ADDRESS LEAK WITH ONE CLICK! In this problem, the secret key is irrelevant. Like NTLM hash leaks on Windows, Telegram tries to automatically test the proxy. Here, the secret key does not matter and the IP address is exposed. Example of a link hidden behind a… pic.twitter.com/NJLOD6aQiJJanuary 10, 2026
The proof-of-concept code is now publicly available on GitHub.
What makes this particularly dangerous is the “one-click” nature of the exploit. There is no second confirmation screen or warning before sending the ping. Once the link is touched, the damage is done.
For activists, journalists and whistleblowers who rely on Telegram to maintain anonymity, this exposes their approximate physical location and ISP details to potential bad actors.
Can a VPN protect you?
The researcher noted that the request “skips all configured proxies,” ignoring active SOCKS5, MTProto, or VPN settings specifically configured within the Telegram app settings.
Because the app initiates this specific connection request directly through the device’s network interface, it can potentially leak data even when protection tools are active.
While a system-wide VPN with strict In theory, the kill switch should capture this traffic, but the specific behavior of this flaw creates a significant risk that traffic could escape through the network, particularly if the user relies on split tunneling features.
Telegram’s response
Telegram has historically downplayed similar findings, often stating that “any website or proxy owner can see the IPs” of visitors, framing it as a standard function of how the Internet works.
However, upon scrutiny of this specific derivation, the company said Bleeping Computer which is intended to address the UI glitch aspect.
Telegram is expected to add a warning message to these specific links in a future update, allowing users to detect disguised proxy servers and reject the connection before the automatic ping is sent.
what can you do
Until Telegram releases a patch to fix this auto-ping behavior, users are advised to be very careful when clicking on links from unknown sources, even if they appear to be internal Telegram usernames.
- Avoid clicking on t.me links from strangers or on public channels.
- View link previews carefully before hitting.
- Make sure your system-wide VPN is active and configured to block all non-VPN traffic (Kill Switch enabled) instead of relying solely on Telegram’s internal proxy settings.
Telegram has yet to release a formal date for this fix, but as scrutiny increases, a security update is likely on the horizon. For now, the safest course of action is to treat every link with suspicion.
