Researchers have uncovered a vulnerability in Telegram that attackers could exploit to crash unsuspecting users’ devices and jack up their mobile phone bills.
Telegram is a popular WhatsApp-style instant messaging app, which claims to have over 100 million monthly users and gaining some 350,000 new users each day.
Telegram has proven particularly popular in Iran, where as many as 20 million people use it to communicate with one another via audio files, video, and plaintext messages.
To prevent malicious users from abusing the app, Telegram limits text messages to a specific range of characters. Each message must consist of at least one character, and it may not exceed 4,096 characters.
But according to Iranian security researchers Sadegh Ahmadzadegan and Omid Ghaffarinia, those limitations can easily be circumvented.
The two researchers note in a blog post that a programming error allows a sender to successfully transmit a message with arbitrary length to a receiver:
“Assuming that each ASCII character is one byte long, attacker can send multi-million-character long strings to victims (or just a null message to be funny!) and the victim would receive the message without taking a scratch!? It’s like downloading a large file without accepting to receive it (Like being an actual server)!”
That large file can, in turn, cause the phone to crash or stop working due to a lack of memory. It can also eat up a user’s monthly data allotment if they are connected to their mobile network and not Wi-Fi.
In a proof-of-concept video, Ahmadzadegan and Ghaffarinia spent 256 MB of a 300 MB plan in just a few minutes by sending over-sized messages:
The vulnerability is particularly dangerous because an attacker does not need to be in a user’s friend list to send a message to them. With that in mind, any sender can send an over-sized text message to any receiver as long as they both have the Telegram app.
At this time, the flaw is still active and has not been patched. In fact, Telegram hasn’t even publicly acknowledged the vulnerability after the two researchers found no way of notifying the company about the issue.
While they await a fix, Telegram users should remain connected to a secure Wi-Fi connection whenever possible to protect themselves against unexpected mobile data charges. Some might also want to consider uninstalling the app until the issue has officially been rectified.