Executive Summary
In January 2026, security researchers revealed that Telegram users could have their real IP address exposed by clicking specially crafted proxy links disguised as regular usernames or harmless URLs. When users clicked these links in Telegram's Android or iOS apps, the app would automatically attempt to connect to the attacker-controlled proxy server, revealing the user's actual IP without further confirmation. This behavior, demonstrated across various public channels, posed targeted privacy risks, including location tracking and the potential for follow-on attacks. Telegram acknowledged the issue and stated they would introduce warnings to alert users about proxy links but did not commit to a timeline for deployment.
This incident highlights a growing trend of information disclosure vulnerabilities related to messaging apps and link-based attacks, demonstrating the persistent risk of metadata and IP leaks in platforms used for privacy and circumvention. It brings renewed urgency to strengthen client security and increase user awareness, especially amid rising concerns over digital privacy and targeted cyber threats.
Why This Matters Now
The disclosure of real IP addresses via disguised Telegram proxy links represents an urgent privacy risk, especially for journalists, activists, and users in restrictive environments. As attackers become more adept at exploiting seemingly innocuous app features, organizations and individuals need to be vigilant about malicious link manipulation tactics that can deanonymize users swiftly.
Attack Path Analysis
The attacker disguised a malicious Telegram proxy link as a legitimate username, luring users into clicking it (Initial Compromise). Upon clicking, the Telegram app automatically connected to the attacker's server, but no privilege escalation occurred (Privilege Escalation). Since this attack did not involve movement within an environment, lateral movement was not observed (Lateral Movement). The attacker's proxy server established a communication channel from the victim's device (Command & Control). The real IP address of the victim was exposed via this outbound connection (Exfiltration). The impact was limited to information disclosure—the deanonymization of the user's IP address and potential related privacy risks (Impact).
Kill Chain Progression
Initial Compromise
Description
A user is tricked into clicking a disguised Telegram proxy link, causing their device to make an outbound connection to an attacker-controlled proxy server.
Related CVEs
CVE-2026-XXXXX
CVSS 5.3A vulnerability in Telegram's Android and iOS clients allows attackers to expose a user's real IP address by disguising proxy links as usernames, leading to potential privacy breaches.
Affected Products:
Telegram Telegram Messenger – Android and iOS clients up to version 9.3.2
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
MITRE ATT&CK techniques selected to cover the observed and likely tactics for link-based IP disclosure and targeted deanonymization, for filtering and future enrichment.
Phishing
Phishing for Information
Network Sniffing
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Application Layer Protocol: Web Protocols
Account Discovery
System Owner/User Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Protect stored cardholder data
Control ID: 3.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Requirements
Control ID: Article 9
CISA ZTMM 2.0 – Prevent Information Disclosure
Control ID: Identity Pillar – 4.3
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Telegram proxy vulnerability exposes government officials' IP addresses, enabling targeted surveillance and location tracking that compromises national security operations.
Law Enforcement
IP disclosure through disguised Telegram links threatens undercover operations and officer safety by revealing real locations to criminal organizations.
Newspapers/Journalism
Journalists using Telegram for source protection face deanonymization risks as malicious proxy links can expose their real IP addresses instantly.
Non-Profit/Volunteering
Activists and human rights organizations relying on Telegram anonymity are vulnerable to location tracking through one-click proxy link exploitation.
Sources
- Hidden Telegram proxy links can reveal your IP address in one clickhttps://www.bleepingcomputer.com/news/security/hidden-telegram-proxy-links-can-reveal-your-ip-address-in-one-click/Verified
- Telegram built-in proxy exposes real IPs using single-click flaw, researchers warnhttps://cybernews.com/security/telegram-one-click-vulnerability-leaks-ip-address/Verified
- Telegram Exposes Real Users IP Addresses, Bypassing Proxies on Android and iOS in 1-clickhttps://cybersecuritynews.com/one-click-telegram-flaw/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress policy enforcement, and granular observability could have identified or blocked unexpected outbound proxy connections, mitigating this information disclosure. Egress controls and real-time anomaly detection in CNSF would have prevented unauthorized communication to attacker infrastructure.
Control: Multicloud Visibility & Control
Mitigation: Suspicious or uncommon egress activity would be visible and auditable.
Control: Zero Trust Segmentation
Mitigation: Limits any potential expansion of attacker access if application vulnerabilities are abused.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized internal traffic paths, reducing attack surface for future pivoting.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound connections to untrusted proxy servers would be blocked or require explicit approval.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous outbound egress patterns or destination contacts would trigger alerts.
Inline fabric-level controls minimize the chance that user metadata reaches an untrusted party.
Impact at a Glance
Affected Business Functions
- User Privacy
- Data Security
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of users' real IP addresses, leading to privacy breaches and possible targeted attacks.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce egress filtering to restrict applications from initiating outbound connections to untrusted proxy servers.
- • Deploy real-time multicloud traffic observability to detect anomalous application behaviors and suspicious destinations.
- • Implement Zero Trust segmentation to limit the blast radius of any endpoint compromise or unexpected application action.
- • Utilize automated threat detection and anomaly response to alert on and block network requests that match known TTPs of data leakage.
- • Continuously update segmentation and policy rules to account for dynamic application and user behaviors, ensuring resilient prevention against emerging proxy-based information disclosure attacks.
