14 DAY TRIAL // Two Iranian security researchers, Sadegh Ahmadzadegan and Omid Ghaffarinia, have discovered a bug in the Telegram app that allows them to bypass the app's minimum and maximum message limits and send invisible messages or over-sized bandwidth-consuming texts.
The two researchers say they couldn't report the issue to Telegram because they weren't able to reach the app's developers. As such, they haven't revealed any technical details that could allow an attacker to exploit this flaw.
Ahmadzadegan and Ghaffarinia explain the vulnerability is in Telegram's limitation on message size. The default minimum message length is one byte (character). The maximum message size is 4,096 bytes.
The two were able to bypass these limits and send messages with no content to users, triggering false notifications and also over-sized messages.
The latter have the potential to crash the app, but also to add extra charges on the user's bills if they're using their mobile connection when the attack starts.
Telegram attack can lead to serious financial losses
In a proof-of-concept video the two recorded, they were able to spend 256 MB of a 300 MB plan in just a few minutes, just by sending over-sized messages.
The bug is dangerous because Telegram allows users to send messages to any of the app's users, not only your friends. Attackers can use anonymous phone numbers, automate a script, and induce a constant DoS state to your phone, or make sure you spend thousands of dollars on your monthly phone bill.
"It’s possible to get up unusually late (perhaps because your phone has crashed and the alarm didn’t work :D) and see that your phone faced with insomnia last night, because it has downloaded tens of gigabytes of data (text messages)," the two researchers note.