Recent worrying rumours about a vulnerability featuring the IP address leak of a Telegram user have been circulating all over the internet. In this article we assess the severity of said “vulnerability”, how the “exploit” works and what can be done before falling into the trap.
Finally, we explore a set of considerations to take into account for a post-mortem IP leak.
The proof-of-concept
With a few clicks we can get to this post on X by 0x6rss:
The video shows an attacker running a Python coded script receiving connections when a target clicks on a Telegram message entity. Let’s cut this down.
First thing first, we see the victim clicks on the “username mention” subsequently the attackers starts receiving many connection logs and immediately after a screen inviting the user to set a proxy is shown. The issue is demonstrated here: even if the victim doesn’t set the malicious server as proxy, still connection requests are made and therefore the IP address is leaked.
The message entity looks like an username mention but actually it’s a link presenting itself as a mention, and the link presents the proxy configuration of the server controlled by the attacker.
Looking more deeply
Trying with other devices we see that proxy settings can be shared with two separate configuration URLs:
- the safe one:
tg://... - the “malicious” one:
https://t.me/proxy/...
Excluding the first one for obvious reasons, let’s focus on the one of interest. By trying to replicate the “exploit” on other devices, the result is unsuccessful. We can confine the “vulnerability” to mobile devices, better say it has been proven working on the latest (as per writing time of the present) version for iOS.
Another valid point of the video is that it’s required one click by the user, therefore now the question is: how can we know if the presented “username mention” is actually a mention or simply a masqueraded proxy configuration formatted as the dangerous URL option? The answer is simpler than you may be expecting: just holding the tap on the message entity makes Telegram revealing what’s inside without actually “rendering” the features (e.g.: opening the URL or looking up at the username).
Post-mortem assessment
What if we inadvertently tapped on a malicious URL resulting in our IP getting leaked? While we cannot “undo” the mistake, we can determine how that information identifies us and more specifically how it can be used again us.
Nowadays it’s very infrequent or rather rare to have a connection with a long-term assigned / static IP being used only by one individual connected to the network. Therefore the attacker gets information about the nation and possibly the area where the connection is originating from. Specifically when it’s coming from a CGNAT network, the area may result absolutely misleading and therefore this information unreliable (you do check sources and assess their reliability, don’t you!?).
Another very common possibility is that your ISP assigns IPs dynamically at every restart of the Wi-Fi Access Point. Therefore the correlation between victim and IP is only temporary.
It goes without mentioning it that if we have:
- a long-term assigned IP
- the network is not shared with other users
- the ISP grants us unique and not shared connection
We are cooked.
Key takeaways
As always, don’t believe everything that you see online without verifying information first.
Secondly, don’t interact with content shared to you from untrusted or unrecognised sources. Rather, flag it to somebody digitally literate in order to better understand the severity of the threat.
Don’t use proxies if not specifically required, use trusted VPN providers instead (e.g.: Proton).
Leave a Reply