Telegram downplays “disguised proxy link” issue but promises new click warning

Telegram is pushing back against security researchers who say the messaging app has a problem with disguised proxy links that can expose user IP addresses. The company insists it’s not really a vulnerability, but they’re adding warnings anyway.

Here’s what’s happening. Researchers from GangExposed RU showed over the weekend how attackers can hide proxy server links behind what looks like normal username mentions. You might see @durov in a message and think you’re clicking on a profile, but you’re actually triggering a connection to a proxy server.

When that happens, Telegram automatically tests the connection — and that test bypasses any VPN or proxy you’ve already set up. Your real IP goes straight to whoever controls that server.

Security researcher 0x6rss posted a demonstration on X showing how this works on both Android and iOS. Click the disguised link, and your IP leaks before you even see a confirmation dialog. There’s no user warning, and no chance to back out.

Telegram’s response seems to be somewhat dismissive. In response to the GangExposed RU and other posts highlighting the issue, the company said any website or proxy owner can see visitor IPs regardless of platform. This isn’t unique to Telegram, they argued. Still, they’re adding a warning that shows when people click proxy links, helping users spot disguised ones.

That explanation doesn’t really address the issue, though. Yes, websites see your IP when you visit them. But people using Telegram with configured proxies or VPNs probably didn’t expect the app to bypass those protections for an automatic connection test. The whole point of using a proxy is to hide your location.

What makes this effective is how normal these malicious links appear. They blend right into regular Telegram messages. So for example, someone can share what looks like a username mention in a group chat, then you click it out of habit, and suddenly, an attacker knows your real IP. This is perfect for targeting activists, journalists, or anyone trying to stay anonymous in restricted regions.

Telegram hasn’t said when the warning feature will roll out. For now, users worried about privacy should think twice before clicking username mentions in untrusted groups, and keep a VPN running at the system level as backup protection.

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.