On Telegram's Android and iOS clients, opening a proxy link triggers an automatic test connection, causing the app to initiate a direct network request from the user's device to the specified server before the proxy is added.
Attackers can abuse this behavior by setting up their own MTProto proxies and distributing links that are visually disguised as harmless usernames or website URLs but actually point to proxy configuration endpoints.
If a user clicks such a link on a mobile client, the Telegram app will attempt to connect to the attacker-controlled server, allowing the proxy operator to log the user's real IP address.
The exposed IP address could then be used to infer a user's approximate location (visitors are welcome), launch denial-of-service attacks (why to spend money for home PC disruption?), or support other targeted abuse.
