When I login to my Telegram account by scanning the QR code with my phone (untorified) either through web app or desktop client on my standard Whonix WS qube I sometimes get duplicate service notifications from Telegram on my phone that also includes my real IP.
That is, if my Tor exit node is happen to be in the Netherlands and my real location is Brazil then I’ll get one service notification with a warning that someone logged into my account from the Netherlands on a device running Qubes OS and then immediately another one stating that someone logged into my account from my real Brazilian IP on the same device running Qubes OS.
How can that be explained?
I sometimes need to read my Telegram chats under Whonix so that I could browse the links in the chats on another qube while at the same time making sure that I won’t accidentally misclick and open the link from my direct/untortified connection. Overall I don’t have any concerns about my anonymity in the particular use-case. it’s just an interesting observation I cannot explain myself.
not sure, but you could if you wanted look up the list of known entry-nodes, and edit your whonix qubes firewall list so that nothing can go through the network without going through tor
it could also be the case that the act of logging in via QR code causes a new login request from your phone as well, I’m not sure, if that were the case it wouldn’t be saying it was from qubes though, I don’t know know exactly have you tried any experiments? Logging in without QR code, logging in with QR code but with your phone using a VPN, etc?
You can also try to ask at the Whonix forum: https://forums.whonix.org/
FWIW, if you’re an advanced user, you can solve this aspect in a different way by using Telegram in a qube that doesn’t even have a web browser installed. One way to accomplish this by installing the Telegram desktop app in a minimal template and not installing a web browser there, then basing your Telegram app qube on this template.
Since the question seemed more fitted to the Whonix forums and that @adrelanos was kind enough to provide a link to the televant topic, I moved this one to the User support category and marked @adrelanos’s reply as the solution. That should make it easier for future folks to find their way to the answer.
Of course, please feel free to adjust that as you see fit @apsynote
Nothing was being “leaked” - if you use an untorified phone then
Telegram will grab your IP from the phone and use it for location.