diff --git a/Telegram/SourceFiles/mtproto/connection.cpp b/Telegram/SourceFiles/mtproto/connection.cpp
index 160b41c6a..8cabe5ca8 100644
--- a/Telegram/SourceFiles/mtproto/connection.cpp
+++ b/Telegram/SourceFiles/mtproto/connection.cpp
@@ -361,7 +361,7 @@ void ConnectionPrivate::appendTestConnection(
 			_connectionOptions->proxy),
 		priority
 	});
-	auto weak = _testConnections.back().data.get();
+	const auto weak = _testConnections.back().data.get();
 	connect(weak, &AbstractConnection::error, [=](int errorCode) {
 		onError(weak, errorCode);
 	});
diff --git a/Telegram/SourceFiles/mtproto/connection_tcp.cpp b/Telegram/SourceFiles/mtproto/connection_tcp.cpp
index c0012f18e..bf48effbd 100644
--- a/Telegram/SourceFiles/mtproto/connection_tcp.cpp
+++ b/Telegram/SourceFiles/mtproto/connection_tcp.cpp
@@ -225,6 +225,7 @@ bytes::const_span TcpConnection::Protocol::VersionD::readPacket(
 
 auto TcpConnection::Protocol::Create(bytes::const_span secret)
 -> std::unique_ptr<Protocol> {
+	// See also DcOptions::ValidateSecret.
 	if ((secret.size() >= 21 && secret[0] == bytes::type(0xEE))
 		|| (secret.size() == 17 && secret[0] == bytes::type(0xDD))) {
 		return std::make_unique<VersionD>(
diff --git a/Telegram/SourceFiles/mtproto/dc_options.cpp b/Telegram/SourceFiles/mtproto/dc_options.cpp
index f4959f414..992482f74 100644
--- a/Telegram/SourceFiles/mtproto/dc_options.cpp
+++ b/Telegram/SourceFiles/mtproto/dc_options.cpp
@@ -8,6 +8,7 @@ https://github.com/telegramdesktop/tdesktop/blob/master/LEGAL
 #include "mtproto/dc_options.h"
 
 #include "storage/serialize_common.h"
+#include "mtproto/connection_tcp.h"
 
 namespace MTP {
 namespace {
@@ -87,6 +88,14 @@ private:
 
 };
 
+bool DcOptions::ValidateSecret(bytes::const_span secret) {
+	// See also TcpConnection::Protocol::Create.
+	return (secret.size() >= 21 && secret[0] == bytes::type(0xEE))
+		|| (secret.size() == 17 && secret[0] == bytes::type(0xDD))
+		|| (secret.size() == 16)
+		|| secret.empty();
+}
+
 void DcOptions::readBuiltInPublicKeys() {
 	for (const auto key : PublicRSAKeys) {
 		const auto keyBytes = bytes::make_span(key, strlen(key));
@@ -596,6 +605,8 @@ auto DcOptions::lookup(
 			} else if (type != DcType::MediaDownload
 				&& (flags & Flag::f_media_only)) {
 				continue;
+			} else if (!ValidateSecret(endpoint.secret)) {
+				continue;
 			}
 			const auto address = (flags & Flag::f_ipv6)
 				? Variants::IPv6
diff --git a/Telegram/SourceFiles/mtproto/dc_options.h b/Telegram/SourceFiles/mtproto/dc_options.h
index b65e6dc28..288822d33 100644
--- a/Telegram/SourceFiles/mtproto/dc_options.h
+++ b/Telegram/SourceFiles/mtproto/dc_options.h
@@ -48,6 +48,8 @@ public:
 
 	};
 
+	[[nodiscard]] static bool ValidateSecret(bytes::const_span secret);
+
 	// construct methods don't notify "changed" subscribers.
 	void constructFromSerialized(const QByteArray &serialized);
 	void constructFromBuiltIn();