Recent worrying rumours about a vulnerability featuring the IP address leak of a Telegram user have been circulating all over the internet. In this article we assess the severity of said “vulnerability”, how the “exploit” works and what can be done before falling into the trap.
Finally, we explore a set of considerations to take into account for a post-mortem IP leak.
The proof-of-concept
With a few clicks we can get to this post on X by 0x6rss:
The video shows an attacker running a Python coded script receiving connections when a target clicks on a Telegram message entity. Let’s cut this down.
First things first, we see the victim click on the “username mention”; subsequently the attacker starts receiving many connection logs and immediately after a screen inviting the user to set a proxy is shown. The issue is demonstrated here: even if the victim doesn’t set the malicious server as proxy, still connection requests are made and therefore the IP address is leaked.
The message entity looks like a username mention but it’s actually a link appearing as a mention, and the link is presenting the proxy configuration of the attacker-controlled server.
Digging deeper
Trying it with other devices, we notice that proxy settings can be shared with two separate configuration URLs:
- the safe one:
tg://... - the “malicious” one:
https://t.me/proxy/...
Excluding the first for obvious reasons, let’s focus on the one of interest.
Attempting to replicate the “exploit” on other devices, the result is unsuccessful. We can narrow down the “vulnerability” to mobile devices — more precisely, it was proven functional on the latest version (at the time of writing) for iOS.
Another valid point of the video is that a click from the user is required. So now the question is: how can we know if the presented “username mention” is actually a mention or simply a masqueraded proxy configuration formatted as the dangerous URL option? The answer is simpler than you may be expecting: just holding the tap on the message entity makes Telegram reveal what’s inside without actually “rendering” the features (e.g.: opening the URL or looking up the username).
Post-mortem assessment
What if we inadvertently tapped on a malicious URL resulting in our IP getting leaked? While we cannot “undo” the mistake, we can determine how that information identifies us and more specifically how it can be used against us.
Nowadays it’s very infrequent or rather rare to have a connection with a long-term assigned / static IP being used only by one individual connected to the network. Therefore the attacker gets information about the nation and possibly the area where the connection is originating from. Specifically when it’s coming from a CGNAT network, the area can be absolutely misleading and therefore this information unreliable (you verify the sources and assess their reliability, right!?).
Another very common possibility is your ISP dynamically assigning IPs at every reboot of the Wi-Fi Access Point. Therefore the correlation between the victim and the IP is only temporary.
It goes without saying that if we have:
- a long-term assigned IP
- the network is not shared with other users
- the ISP guarantees us a unique and not shared connection
We are in trouble.
Key takeaways
As always, don’t believe everything you see online without first verifying the information.
Secondly, don’t interact with content shared from untrusted or unrecognised sources. Rather report them to someone digitally competent to better understand the severity of the threat.
Don’t use proxies unless specifically needed; use instead trusted VPN providers (e.g.: Proton).