A one-click vulnerability in the Telegram app for Android and iOS enables attackers to obtain users’ real IP addresses, even when they use a built-in proxy, security researchers warn.
If you rely on Telegram for privacy, activism, whistleblowing, bypassing censorship, or otherwise just protecting your online identity, be aware that your IP address can be leaked. It takes only one click on what might seem like a username mentioned in chat.
Telegram has a built-in tool, MTProxy, for users to circumvent internet censorship in countries where Telegram access is restricted. This helps mask the user's IP as well as obfuscate user traffic.
However, security researchers warn that attackers can themselves abuse this feature to leak users’ IP addresses. Adversaries can set up a fake Telegram MTProxy server and create links to it.
If a user clicks on such a link, shared in groups, channels, or chats, then the Telegram app will connect to the fake proxy using the real IP address. Researchers warn that attackers can make links appear indistinguishable from username handles.
The issue is that the Telegram app first attempts to test the proxy and connects to the proxy server using the user’s real internet connection.
The vulnerability was detailed by a security researcher who goes by the moniker Saurabh on LinkedIn. The proof-of-concept code is already publicly available on GitHub.
“When a Telegram user clicks a tg://proxy link, the client attempts to connect to the specified proxy server before applying any configured proxy settings. This connection originates from the device’s real network interface, exposing the public IP,” the researcher explains.
Telegram’s MTProxy is primarily used to bypass ISP-level blocking and shouldn’t be relied upon for real anonymity. A system-wide VPN solution should be used instead to protect online identity.
A device-level VPN routes all application traffic, including Telegram, through the encrypted tunnel, preventing the exposure of the IP address.
IP exposure can be highly sensitive, as it helps identify users and their approximate locations, potentially compromising privacy and security.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked