Telegram bug allows attackers to crash devices, jack up phone bills

Malicious massive messages could cause smartphones to crash.

David bisson
David Bisson

Telegram bug allows attackers to crash devices, jack up phone bills

Researchers have uncovered a vulnerability in Telegram that attackers could exploit to crash unsuspecting users’ devices and jack up their mobile phone bills.

Telegram is a popular WhatsApp-style instant messaging app, which claims to have over 100 million monthly users and gaining some 350,000 new users each day.

Telegram has proven particularly popular in Iran, where as many as 20 million people use it to communicate with one another via audio files, video, and plaintext messages.

Telegram messaging app

To prevent malicious users from abusing the app, Telegram limits text messages to a specific range of characters. Each message must consist of at least one character, and it may not exceed 4,096 characters.


But according to Iranian security researchers Sadegh Ahmadzadegan and Omid Ghaffarinia, those limitations can easily be circumvented.

The two researchers note in a blog post that a programming error allows a sender to successfully transmit a message with arbitrary length to a receiver:

“Assuming that each ASCII character is one byte long, attacker can send multi-million-character long strings to victims (or just a null message to be funny!) and the victim would receive the message without taking a scratch!? It’s like downloading a large file without accepting to receive it (Like being an actual server)!”

That large file can, in turn, cause the phone to crash or stop working due to a lack of memory. It can also eat up a user’s monthly data allotment if they are connected to their mobile network and not Wi-Fi.

Sign up to our free newsletter.
Security news, advice, and tips.

In a proof-of-concept video, Ahmadzadegan and Ghaffarinia spent 256 MB of a 300 MB plan in just a few minutes by sending over-sized messages:

Telegram message size restriction bypass.

The vulnerability is particularly dangerous because an attacker does not need to be in a user’s friend list to send a message to them. With that in mind, any sender can send an over-sized text message to any receiver as long as they both have the Telegram app.

At this time, the flaw is still active and has not been patched. In fact, Telegram hasn’t even publicly acknowledged the vulnerability after the two researchers found no way of notifying the company about the issue.

While they await a fix, Telegram users should remain connected to a secure Wi-Fi connection whenever possible to protect themselves against unexpected mobile data charges. Some might also want to consider uninstalling the app until the issue has officially been rectified.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

3 comments on “Telegram bug allows attackers to crash devices, jack up phone bills”

  1. Bob

    Pure bull when I read the researchers comments on the video.

    "In fact, Telegram hasn't even publicly acknowledged the vulnerability after the two researchers found no way of notifying the company about the issue."

    I found SEVEN repeated mentions of email addresses on just ONE of Telegram's web pages. Those email addresses haven't just been added either which is why I knew the researchers were either incompetent or embellishing the truth.

    Telegram also have active Twitter channels in a number of different languages OR you can contact them directly from within the app. There they go – at least 3 different ways of contacting the company.

    In fact Telegram pushed out an iOS and Android yesterday (Tuesday).

  2. Dsharp

    Wow this is insanely inaccurate. It is in no way a vulnerability, in fact you have essentially written a FUD piece about an important and valuable feature of telegram. Instead of misleading and panicking your readers you could have presented this as a helpful and educational article by explaining how to ensure your phone does not automatically download files sent to you via telegram. There are quite a few other tips you could cover along those lines.

    Such a shame to read these shock FUD pieces that are clearly designed to get clicks when your energy and resources could be used to help and educate people instead. Then again I suspect you might actually have completed neglected the research phase of the whole journalistic process and just published a bunch of misguided and literally incorrect hearsay as quickly as possible.

    So be it. I can only sincerely hope you gain some perspective so you can see why this type of publication is harmful to society. You can so easily do good with your talents and abilities.

  3. Bob

    Story update – Telegram say it isn't possible:

    "The server doesn’t allow text messages larger than 35 KB (the same size as two standard Telegram messages or a small photo),” Ra wrote to Threatpost in an email interview. “The sent message may look arbitrarily long – but the received message always arrives truncated by the server."

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.