- VPN
- VPN Privacy & Security
A new exploit found by researchers forces the Telegram app to bypass its own encryption tunnels, leaving your data exposed
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Photo by Jaque Silva/NurPhoto via Getty Images)
Share
Share by:
- Copy link
- X
- Threads
- Researchers found a flaw with Telegram that can expose user IP addresses
- The one-click vulnerability exploits the app’s automatic proxy checking
- The bug "bypasses all configured proxies" within the app, including VPNs
Security researchers have uncovered a new one-click vulnerability that forces the Telegram mobile app to leak your real IP address. Even using the best VPN apps might not be enough to stop it if your settings aren't watertight.
The flaw, identified by security researcher 0x6rss, affects both Android and iOS versions of the app. It revolves around how Telegram handles proxy settings, a feature often used by people in restrictive regions to bypass censorship.
By disguising a malicious proxy link as a harmless username or website URL, attackers can trick the app into "pinging" a server they control. This connection happens automatically and, critically, occurs outside of the encrypted tunnel users rely on to stay anonymous.
You may like-
Russian restrictions have been blocking access to Telegram and WhatsApp for months – here's what we know
-
Google issues security alert: Your VPN app could be spyware in disguise
-
Three billion WhatsApp users are at risk - an expert has developed a tool that could spy on everyone, and you would never know about it
How Telegram's 'one-click' leak works
The vulnerability is triggered the moment a user clicks a specially crafted t.me link. While these links can look like standard user profiles, they actually point to a proxy configuration. When clicked, Telegram attempts to verify the quality of the proxy connection by sending a test request (a "ping") to the server.
The researcher found that this specific request “bypasses all configured proxies” and tunnels within the app. As a result, the connection is made via the device's native network stack, directly from the user's device, instantly logging their real IP address on the attacker’s server.
ONE-CLICK TELEGRAM IP ADDRESS LEAK!In this issue, the secret key is irrelevant. Just like NTLM hash leaks on Windows, Telegram automatically attempts to test the proxy. Here, the secret key does not matter and the IP address is exposed.Example of a link hidden behind a… https://t.co/KTABAiuGYI pic.twitter.com/NJLOD6aQiJJanuary 10, 2026
The proof-of-concept code is now publicly available on GitHub.
What makes this particularly dangerous is the "one-click" nature of the exploit. There is no second confirmation screen or warning before the ping is sent. Once the link is tapped, the damage is done.
For activists, journalists, and whistleblowers who rely on Telegram for anonymity, this exposes their approximate physical location and ISP details to potential bad actors.
Can a VPN protect you?
The researcher noted that the request "bypasses all configured proxies," ignoring active SOCKS5, MTProto, or VPN setups specifically configured within the Telegram app settings.
Because the app initiates this specific connection request directly through the device's network interface, it can potentially leak data even when protective tools are active.
You may like-
Russian restrictions have been blocking access to Telegram and WhatsApp for months – here's what we know
-
Google issues security alert: Your VPN app could be spyware in disguise
-
Three billion WhatsApp users are at risk - an expert has developed a tool that could spy on everyone, and you would never know about it
While a system-wide VPN with a strict kill switch should theoretically catch this traffic, the specific behavior of this flaw creates a significant risk that traffic could slip through the net, particularly if the user relies on split-tunneling features.
Today's best NordVPN, Surfshark, Proton VPN and ExpressVPN deals
NordVPN 2 Year US$3.39/mthView+3 months free
Surfshark 24 Months US$1.99/mthView
Proton VPN 24 Month US$3.59/mthView+4 MONTHS FREE
ExpressVPN 24 month US$2.79/mthViewWe check over 250 million products every day for the best pricesTelegram's response
Telegram has historically downplayed similar findings, often stating that "any website or proxy owner can see the IPs" of visitors, framing it as a standard function of how the internet works.
However, following scrutiny over this specific bypass, the company told Bleeping Computer that it intends to address the user interface aspect of the flaw.
Telegram is expected to add a warning prompt to these specific links in a future update, allowing users to spot disguised proxies and decline the connection before the automatic ping is sent.
What you can do
Until Telegram releases a patch to fix this automatic pinging behavior, users are advised to be extremely cautious when clicking links from unknown sources, even if they appear to be internal Telegram usernames.
- Avoid clicking t.me links from strangers or in public channels.
- Check link previews carefully before tapping.
- Ensure your system-wide VPN is active and configured to block all non-VPN traffic (Kill Switch enabled) rather than relying solely on Telegram’s internal proxy settings.
Telegram has yet to issue a formal date for this fix, but as scrutiny mounts, a security update is likely on the horizon. For now, the safest course of action is to treat every link with suspicion.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
Get daily insight, inspiration and deals in your inboxContact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. CATEGORIES Cyber Security Computing Computing Security
Rene MillmanContributing WriterRene Millman is a seasoned technology journalist whose work has appeared in The Guardian, the Financial Times, Computer Weekly, and IT Pro. With over two decades of experience as a reporter and editor, he specializes in making complex topics like cybersecurity, VPNs, and enterprise software accessible and engaging.
Show More CommentsYou must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Logout Read more
Russian restrictions have been blocking access to Telegram and WhatsApp for months – here's what we know
Google issues security alert: Your VPN app could be spyware in disguise
Three billion WhatsApp users are at risk - an expert has developed a tool that could spy on everyone, and you would never know about it
Iran’s "VPN mafia" blamed for delays on the lifting of Telegram ban – here's what we know
Urban VPN Proxy is the latest free VPN spying on users – here's how to stay safe
Messaging app Freedom Chat exposes user phone numbers and more - here's what we know
Latest in VPN Privacy & Security
VPN interest spikes in Uganda as the internet gets disrupted ahead of the general elections
Windscribe is building an ecosystem of privacy-first apps – but it doesn't want to own them
Internet censorship hit 'half the world’s population' in 2025, Surfshark warns – and 2026 is already looking grim
Cloudflare CEO threatens to pull servers from Italy after AGCOM's €14M fine
Discord stopped working in Egypt – and Proton VPN records massive usage spike
Iranians offline for over 90 hours as digital blackout continues for fifth day – here's everything we know
Latest in News
Security researchers warn Telegram links can doxx you – even with a VPN
Spotify claims it's not forcing AI-generated music onto listeners.
ServiceNow patches critical security flaw which could allow user impersonation
Nvidia could pivot away from RTX 5070 Ti and 5060 Ti 16GB to favor 8GB GPUs
Fender's Play platform is coming to Samsung TVs everywhere – grab your axe by summer 2026
Sega ditches Nintendo's controversial Game-Key Cards for Sonic Racing: CrossWorlds' physical Switch 2 release
LATEST ARTICLES- 1VPN interest spikes in Uganda as the internet gets disrupted ahead of the general elections
- 2ServiceNow patches critical security flaw which could allow user impersonation
- 3Docusign wants to use AI to turn your complex contracts into plain English
- 4Experts warn this new Chinese Linux malware could be preparing something seriously worrying
- 5The RAM shortage claims another victim as PS5 SSD prices rocket — here's why now is the worst time to buy and what to do instead