Security researchers warn that malicious Telegram proxy links can de-anonymize users by revealing their real IP addresses without warnings, endangering privacy for journalists and activists.
© E. Vartanyan
Security researchers have uncovered a new threat to user anonymity on Telegram: specially crafted links for proxy configuration allow malicious actors to de-anonymize individuals without any additional confirmations or warnings. These proxy links appear as ordinary t.me addresses and can be disguised as usernames, but when clicked, the messenger automatically attempts to connect to a proxy server, sending a direct network request from the device, which reveals the user's real IP address, even if they intended to remain hidden and were using a proxy.
The exploitation mechanism is simple yet effective: Telegram on Android and iOS checks proxy availability even before it is added to the settings. As a result, the owner of the proxy to which the link leads obtains the victim's IP address, bypassing all privacy settings. Experts warn that this could lead to approximate location determination, targeted attacks, DDoS attacks, and further user profiling. This is particularly dangerous for journalists, activists, and those who consciously use proxies for anonymity.
Telegram officially does not consider this situation a critical vulnerability, asserting that any website or proxy on the internet sees a visitor's IP address, and this is not unique to their platform. Nevertheless, the company has promised to add warnings when clicking on proxy links, so users know exactly what they are opening. When exactly this feature will appear in Telegram applications has not yet been specified.
Cybersecurity experts advise being extremely cautious: do not click on suspicious t.me links, even if they look like usernames, and pay special attention to such links on mobile devices to avoid immediate leakage of your real IP address.