- 883
- 242
Researchers have discovered a vulnerability in Telegram for Android and iOS. After clicking a specially crafted link, the app automatically connects to the attackers' server, transmitting the user's real IP address. No additional confirmation is required.
The issue arises from how Telegram handles proxy links. These links (in the format t.me/proxy?...) allow users to quickly configure an MTProto proxy in the client by simply clicking the link, instead of manually entering the details. Once opened in Telegram, the app reads the proxy parameters (including the server, port, and secret key) and prompts the user to add the proxy to their settings.
It turns out that when such a proxy link is opened in Telegram for Android and iOS, the app automatically tests the connection to the specified server (even before the proxy is added to the settings). This test connection initiates a direct test request from the user's device.
As a result, attackers can disguise a malicious link even as a regular username. For example, a message might display @durov, but the link actually leads to the attackers' proxy server. Clicking it will cause the app to contact the attackers' MTProto proxy server, transmitting the victim's real IP address. Once
the IP address is obtained, the hackers can determine the victim's approximate location, conduct a DDoS attack, or use this data for other purposes. This issue could pose a threat to activists, journalists, and dissidents.
This bug was first identified by specialists from the Telegram channel chekist42 . The topic was later picked up by other researchers, including 0x6rss, who even published a video demonstration of the attack . Experts compare this vulnerability to NTLM hash leaks in Windows, where a single interaction with a malicious resource triggers an automated request without the user's knowledge.
Telegram developers told BleepingComputer that website owners or proxy operators can see visitors' real IP addresses, and this isn't unique to Telegram.
[td]"This applies to Telegram no more than it does to WhatsApp or any other service that has internet access," the company commented.[/td]However, Telegram promised to add a warning when opening proxy links to encourage users to be more aware of disguised URLs. However, it has not specified when exactly this warning will appear in apps.
The issue arises from how Telegram handles proxy links. These links (in the format t.me/proxy?...) allow users to quickly configure an MTProto proxy in the client by simply clicking the link, instead of manually entering the details. Once opened in Telegram, the app reads the proxy parameters (including the server, port, and secret key) and prompts the user to add the proxy to their settings.
It turns out that when such a proxy link is opened in Telegram for Android and iOS, the app automatically tests the connection to the specified server (even before the proxy is added to the settings). This test connection initiates a direct test request from the user's device.
As a result, attackers can disguise a malicious link even as a regular username. For example, a message might display @durov, but the link actually leads to the attackers' proxy server. Clicking it will cause the app to contact the attackers' MTProto proxy server, transmitting the victim's real IP address. Once
the IP address is obtained, the hackers can determine the victim's approximate location, conduct a DDoS attack, or use this data for other purposes. This issue could pose a threat to activists, journalists, and dissidents.
This bug was first identified by specialists from the Telegram channel chekist42 . The topic was later picked up by other researchers, including 0x6rss, who even published a video demonstration of the attack . Experts compare this vulnerability to NTLM hash leaks in Windows, where a single interaction with a malicious resource triggers an automated request without the user's knowledge.
Telegram developers told BleepingComputer that website owners or proxy operators can see visitors' real IP addresses, and this isn't unique to Telegram.