Telegram Bug Allows Attackers To Crash Devices, Jack Up Phone Bills

An anonymous reader writes: Researchers have uncovered a vulnerability in Telegram, a popular instant messaging client with over 100M active monthly active users, that attackers could exploit to crash unsuspecting users' devices and jack up their mobile phone bills. To prevent malicious users from abusing the app, Telegram limits text messages to a specific range of characters -- each message must consist of at least one character, and it may not exceed 4,096 characters. But according to Iranian security researchers Sadegh Ahmadzadegan and Omid Ghaffarinia, those limitations can easily be circumvented. The two researchers note in a blog post that a programming error allows a sender to successfully transmit a message with arbitrary length to a receiver. That large file can, in turn, cause the phone to crash or stop working due to a lack of memory. It can also eat up a user's monthly data allotment if they are connected to their mobile network and not Wi-Fi.Telegram is yet to acknowledge the vulnerability, let alone provide a fix for it.

Really?

[OverlordQ]

How to you mess up length checks in this day and age?

Re:Really?

And who is unfortunate enough to be on a "receiver pays" mobile network?

Re:Really?

[vux984]

Telegram also lets you send pictures.
So... if you want to eat mobile data....

A crash bug/legnth check issue sure... that's a defect that needs to be fixed. But we don't need to imagine new issues too.

Re:Really?

[vux984]

And who is unfortunate enough to be on a "receiver pays" mobile network?

Um... its the same as email. If you download all your email and attachments via mobile data... then you pay for that. That's not some sort of weird backwards receiver pays network, that's how all data plans work everywhere.

Re:Really?

Well... Unicode can be a pretty huge pain in the ass and depending on the implementation it's pretty easy to find yourself fucking things up by making easy, stupid, mistakes. I'm guessing this has to do something with the fact unicode characters can be multiple bytes. They're probably doing something to add in extra bytes but still appearing like a single character, so the check only sees "X" characters instead of "X" bytes of data.

Re:Really?

[NotInHere]

Precisely. Its damn easy to prevent this bug. Just add a 168k bytes limit to the messages. Most times it won't matter because there is already the 4k character limit, but in the case of these special unicode characters it will prevent further harm.

Re:Really?

[Sax+Russell+5449D29A]

This is basic stuff that's become only more and more common especially on websites. What I've noticed is that a *lot* of sanity checks etc. on web forms are done solely on the client side. The correct way is of course to check all input on both the client *and* server. The former is to alert users that their input is invalid and the latter is to prevent actual abuse.

It's amazing what crap even (or especially) large software vendors put out these days. I come across stupid stuff like this at work all the time. Many of these are so serious that they pose a risk to the entire company network. Criticism of such practices is often met with silence or ignorance because thorough coding costs money (though system penetrations or failures often cost a lot more).

Regarding Telegram, I think it's good there's competition in messaging apps. but they've seriously fallen behind as of late. Their strange encryption implementation has been criticized for quite a while now and there is still no ubiquitous end-to-end encryption.

Re:Really?

[vux984]

Their strange encryption implementation has been criticized for quite a while now and there is still no ubiquitous end-to-end encryption.

The main feature of Telegram that I like is that my phone, desktop, and laptop client are always in sync. Even if some devices are asleep off.

How does one do that with end-to-end encryption? Given that I have several "ends" that I want kept in sync; so that i can pick up conversations where i left off (and review past messages) from any device? For me, that's on of the key features.

Telegram also has the 'secret chat' feature which creates an end-to-end encrypted conversation; and one feature/limitation of that is that it then only goes between the 2 devices -- what with it being "end-to-end encrypted" not having it delivered to additional 'ends' seems implied.

So I can have either. I'm not sure why that's called "strange"?

Maybe I've missed something though that you are critical of?

Re:Really?

[Actually,+I+do+RTFA]

There's a finite multiplier for any Unicode encoding though. UTF-32 is just 4 bytes per character, hardstop. UTF-8 is 1-6 bytes per character.

Re:Really?

[Khyber]

Skype has had all of these features and more forever, oh and it handles video.

And it at least can enforce a fucking length check in messages.

And I can actually dial other phones across the world without the need to give away my fucking phone number (which by the way, since Telegram got my number, my incoming unwanted marketing calls have jumped from zero to incessant. Thankfully, it's a low-cost smartphone I got exclusively for testing Telegram, so I know it's them that fucking sold my information out 100%.)

And I have a usable searchable user directory across all devices Skype supports. Telegram has the worst fucking search ever - on the desktop client I couldn't even find an "add buddy" method - I had to do that shit over the phone client so it would show up on my desktop. Right as soon as I saw that, I dropped that bullshit and wiped it from phone and computer.

You people jumping ship to new services over established and age-hardened services make me laugh. Sure we get fucked over with UI changes, you get fucked over by marketing of 'security' when in truth they can't even do simple fucking coding, and you're using untested unproven software RIFE with fucking errors and bugs and a shit UI.

Re:Really?

What I've noticed is that a *lot* of sanity checks etc. on web forms are done solely on the client side.

That's worked in my favor many times over the years, and it *still* frequently works to get free stuff and better stuff [1]. Really, developers need to be more careful about this. Back in the day, if I looked at someone's form and saw a value I wanted to play around with, I'd have to spend 15 minutes to packet capture a legit form post, write a script to open a socket and imitate a browser posting my modified form data, etc. Not a huge pain if the target was worth while, but the amount of effort kept me from even bothering unless there was serious savings involved. Nowadays the browsers all have object inspectors built in! Tweaking a form value is more like a 15 second adventure than a 15 minute chore.

[1] Without naming names, one VPS merchant provisions new VMs using fields hidden in the order form like <input type="hidden" name="serv_ram_gb" value="2">. Maybe someday they'll notice the servers on their cheapo plan that have 4x as much RAM as you get with the expensive plan.

Re:Really?

[vux984]

Skype has had all of these features and more forever, oh and it handles video.

Yeah and it has ads. And I don't want video.

which by the way, since Telegram got my number, my incoming unwanted marketing calls have jumped from zero to incessant. Thankfully, it's a low-cost smartphone I got exclusively for testing Telegram, so I know it's them that fucking sold my information out 100%

So presumably all these marketing calls are on the number dedicated to your low cost smartphone that you got exclusively for testing telegram?? I mean... that's the only number Telegram has.

Or maybe the provider of your low cost smartphone sold you out? Because that would never happen.

Right as soon as I saw that, I dropped that bullshit and wiped it from phone and computer.

And I give 2 shits what you use because?

You people jumping ship to new services over established and age-hardened services make me laugh.

I'm sorry, what secure age-hardened app are you using again? Because you can't possibly still be talking about skype?!

For what it's worth, I agree telegram has its share of issues. But it does the things i want, without the things i don't want (eg... advertising, being owned by facebook, etc...)

If Telegram is selling phone numbers to marketing... I'd like to know more about that.

Re: Really?

No. UTF-32 means 4 bytes per code point. Multiple code points can go into a single character.

Re:Really?

That's a valid question and there is no single correct answer on how to implement end-to-end (E2E) encryption in a "distributed" fashion. E2E encryption can be done in various ways, either so that it's device dependent or by utilizing the excellent features of public key infrastructure. Here's a simple, and probably not the best, example on how one could go about with E2E encryption and still have access to message backlog, history and so forth:

1) Create a public-private key pair for each client and use the centralized severs to distribute the keys.
2) Store (public key) encrypted messages on the centralized servers.
3) Distribute your private key between the devices you want to be able to access your message history with.

Step 3 could be done for example so that your client encrypts your private key with a 20+ character password and distributes it via the centralized servers. When you want to access your account/messages from another device, you connect that device to your account as you do today. Before you can access your messages, you'd have to download your encrypted private key from the server and enter the 20+ character password to open it. This password would be initially present only on the device where you created the key pair on, but you could back it up on paper too if wanted.

This is a very simple and likely not at all the best way to approach the problem, but it's just an example on how it could be done in a fashion that allows what you described in your post. As you know, Apple does something pretty similar to this with their users' messages (even Apple can't access users' message data) and they're still available for your account when you authenticate.

And finally, as a side note, Telegram's encryption implementation really is strange. There are quite a few excellent blog posts by security experts analysing their encryption schema and they point out pretty well what exactly is wrong with it. To my knowledge, Telegram has stated that they've done many "compromises" in their encryption schema for the sake of improving battery life on mobile devices. While this is a somewhat valid ponit, I personally feel that these days security should go above battery life. "Secure" should be the default and "restricted/private" should be an optional feature.

Re: Really?

[Actually,+I+do+RTFA]

Really? There are non-printing code points (BOM, or left-to-right ordering), but I don't believe there are characters that are made up of multiple code points.

Re: Really?

You have combining characters and modifiers to add arbitrary accents to things, change the locale of flags, change the skin tone of your emojis, and so on and so forth. You really can end of with an arbitrarily long string of code points that are for all practical purposes a single character.

Re:Really?

If Telegram is selling phone numbers to marketing... I'd like to know more about that.

I have not seen any increase in calls since signing up several months ago, FWIW.

Re:Really?

[Ash-Fox]

Skype has had all of these features and more forever, oh and it handles video.

No it doesn't... I can't even see half of my group chats on the Linux client, the Windows client doesn't sync chats properly if it's been turned off a week, the Android client seems to sync on the latest stuff and often forgets the old stuff... Nothing like Telegram's sync, which is kept in sync on all devices. Regardless if the people I was talking to are logged in or not.

Re:Really?

[Ash-Fox]

You can turn off automatic downloads and even specify if you want it for wi-fi only etc.

Re: Really?

[Actually,+I+do+RTFA]

Interesting. Good to know if I ever need to count characters as a security measure. Although, personally, I lean towards just using a byte count and UTF-8. Messages in Klingon get fewer characters than Japanese get fewer characters than English.

Moot in this case, because he claims to have sent a single message of 380 million 'a' characters.

Re:Really?

[Khyber]

Well, that's your problem for trying to use Linux. Skype was never meant for it in the first place.

It syncs everything just fine for me. Droid, fiance's iPhone when I'm using it, Windows XP and Windows 7 computers. It's all there. The only annoying thing about the sync? I sign in on another device, I get all those damned notifications to download the pictures I've already downloaded from another client.

It works perfectly fine here, I don't know what you're doing to screw it up besides using outdated unsupported clients.

Re:Really?

[Ash-Fox]

Well, that's your problem for trying to use Linux. Skype was never meant for it in the first place.

Indeed, Skype wasn't meant for Linux particularly, it was meant for all major platforms, including Linux.

It syncs everything just fine for me.

I highly doubt that. Login on a new device and try going back more than a month on a non-cloud chat.

Windows XP and Windows 7 computers.

Interesting point, I'll address this in a moment.

It works perfectly fine here

I genuinely suspect you're making up stories, much like your whole whole super secret IPv6 IRC network that had furry musicians on a domain that wasn't registered and you couldn't even provide a IPv6 address to connect to (I still have those IRC logs).

I don't know what you're doing to screw it up besides using outdated unsupported clients.

Sorry, all the clients and operating systems I use are supported.

Now your Windows 7 support ended on 1/13/2015 and Windows XP support ended on 14/04/2009.

Now, maybe in theory, you running outdated, unsupported systems may work well, but considering how Skype actually works, I doubt it really does and I have no interest in running outdated, unsupported systems.

Re:Really?

[Khyber]

"Indeed, Skype wasn't meant for Linux particularly, it was meant for all major platforms, including Linux.'

Untrue. When it first came out, it only supported 2000 and XP.

"I highly doubt that. Login on a new device and try going back more than a month on a non-cloud chat"

Oh, look, I see an option to go back SEVERAL MONTHS. Hell I don't even have to click, I just endlessly scroll and it appears once it gets the data from the server. It works like Twitter's infini-scroll. It's not difficult to use and I can still access chats I have from when I was doing LED work in the UK, YEARS AGO.

"I genuinely suspect you're making up stories, much like your whole whole super secret IPv6 IRC network that had furry musicians on a domain that wasn't registered and you couldn't even provide a IPv6 address to connect to (I still have those IRC logs)."

I can prove you're an untrustworthy and petty fucking shit if you want to get into that nonsense. All it takes is calling TempDog for the logs where your ass hijacked my IRC account, which he has several copies of just in case you ever become a fucking problem.

"Sorry, all the clients and operating systems I use are supported [skype.com]"

And yet just immediately above you say...

" I can't even see half of my group chats on the Linux client"

THAT DOES NOT SOUND LIKE PROPER LINUX SUPPORT.

"Now your Windows 7 support ended on 1/13/2015 and Windows XP support ended on 14/04/2009."

Apparently you have no clue how this works. The OS itself doesn't need to still-supported by its manufacturer, the software that runs on the OS itself just must work with whatever the OS uses. Since stuff from XP on up hasn't changed all that drastically (hence all these new hacks coming out that can target every NT-based Windows OS) It's pretty much write it for XP and it will work forwards up to Windows 10 (Oh, Skype on my Fiance's Win10 computer WORKS JUST FINE.)

To boot, Skype for Linux was OFFICIALLY DISCONTINUED February of this year, so no, you are not using a supported client or operating system, despite your nonsensical claim.

"Now, maybe in theory, you running outdated, unsupported systems may work well, but considering how Skype actually works, I doubt it really does "

Real computer users do the checking themselves. Apparently you're not a real computer user if you can't be bothered to spend the two minutes it takes to see if it works.

So, given almost the entirety of your bullshit has been shown to be incorrect, the only reason your ass responded to me was as always to try to denigrate me. You're just a useless sack of shit, Ash.

Re:Really?

I'd love to see those IRC logs. Any chance you could share them?

Re:Really?

Awww, is Alex getting owned again? You really are a stupid little man.

Re:Really?

[Ash-Fox]

Untrue. When it first came out, it only supported 2000 and XP.

That's just an initial release, not what it was meant for.

Oh, look, I see an option to go back SEVERAL MONTHS.

Oh look, you didn't logon through a new device like I told you. By the way, I can reproduce this perfectly on OS X El Capitan and Windows 10.

I can prove you're an untrustworthy and petty fucking shit if you want to get into that nonsense.

Oh, irrefutable proof? Please, proceed.

All it takes is calling TempDog for the logs where your ass hijacked my IRC account

Please, call this "TempDog".

for the logs where your ass hijacked my IRC account

That sounds pretty interesting actually, please proceed and retrieve these logs and post them along with the information that links it to my person.

" I can't even see half of my group chats on the Linux client"

THAT DOES NOT SOUND LIKE PROPER LINUX SUPPORT.

I can't help it if Skype is fundamentally broken.

Real computer users do the checking themselves.

Why do you think I use Telegram for chat instead, where it actually works properly across all devices? lol, silly.

So, given almost the entirety of your bullshit has been shown to be incorrect, the only reason your ass responded to me was as always to try to denigrate me.

No, if you look at my posting history, I almost always respond to everyone who responds to me. You could have spent the "two minutes" it takes to check that, but you didn't before making accusations, as always.

Re:Really?

[Ash-Fox]

Let's see how Khyber plays out first. I know that wwofly and Cecilia still have copies of those logs too.

Re:Really?

[Ash-Fox]

Awww, is Alex getting owned again?

Alexander Peter Kowalski? I haven't seen him here recently.

You really are a stupid little man.

And why is that?

Re:Really?

I responded to Khyber, not you. His name is Alex McQuown, a douchebag of the highest order.

Re:Really?

He's a douche. In addition to what you may have he also threatened to DDOS soylent news. If you go through Khber (Alex McQuown"s) posting history you can see he makes up stories about how great he is while putting down folks.

As soon as an expert comes along to show how ignorant he is, he goes into insult mode, pouts and hides.

Telegram, eh?

[fiannaFailMan]

So much for older technologies being more secure. Stop.

Re: Telegram, eh?

In the name of love. Stop.

Re:Telegram, eh?

Future shock and a letter! All those telegrams jacking up poor, old "phone" Bill.

Telegram is yet to acknowledge the vulnerability

[DRJlaw]

Telegram is yet to acknowledge the vulnerability, let alone provide a fix for it.

Hard to acknowledge a bug posted only yesterday on an obscure blog, and published what looks like about 3 hours ago on a news site, when TFA states:

Telegram hasn't even publicly acknowledged the vulnerability after the two researchers found no way of notifying the company about the issue.

Hey researchers, I've found a flaw in your notification process.... you couldn't find this page or this FAQ.

Re:Telegram is yet to acknowledge the vulnerabilit

[I'm+New+Around+Here]

I was wondering about that wording myself.

"...let along provide a fix for ..." a bug that was just found yesterday. Those lazy bastards!

Good news!

[Applehu+Akbar]

For a week or so, we'll be able to crash terrorist communications, until they pick another app.

Re:Telegram is yet to acknowledge the vulnerabilit

Also from the FAQ:

In fact, we welcome security experts to audit our system and would appreciate any feedback (security@telegram.org).

So there's that as well.

Research link:

For more detailed info http://www.sadghaf.com/en/2016...

Jack up bill?

[wardrich86]

I don't understand how this exploit would affect a phone bill...?

Re:Jack up bill?

I don't understand how this exploit would affect a phone bill...?

by eating up the data plan if not on an unlimited plan.

Re:Jack up bill?

They don't have defacto unlimited plans like the civilized world.

"Iranian security researchers"

say what? i half expect a news report next week stating that these individuals have been stoned to death for working with banned software and service.

Re:"Iranian security researchers"

[Rakarra]

I think the government of Iran would be quite fine with security researchers attempting to break the security of other countries' messengers.

Re:Telegram is yet to acknowledge the vulnerabilit

> you couldn't find this page [telegram.org] or this FAQ. [telegram.org]

in the security research community, releasing a vulnerability while saying they found no way of contacting the company means they found those links, sent messages days ago and were ignored.

Re:Telegram is yet to acknowledge the vulnerabilit

[axewolf]

This story is proof the slashdot editors are for sale 100%

Everyone with SMS

[Almahtar]

I've always thought it's bullshit that you get charged for receiving text messages as well as sending. People shouldn't have the ability to force charges arbitrarily on others, but SMS has been doing that since the start.

Re: Everyone with SMS

[stud9920]

Welcome to the USA where you get charged for MTC ans SMS-MT.
This is inconceivable in the EU. Hope the Brits won't have to deal with it.

Re:Telegram is yet to acknowledge the vulnerabilit

[drinkypoo]

"...let along provide a fix for ..." a bug that was just found yesterday. Those lazy bastards!

Except that this actually happens all the time in apps, where the fix is simple and the developer is paying attention. And this is a particularly pathetic bug. People who don't do input checking or bounds checking are spectacular idiots. What other spectacularly idiotic decisions did they make during development?

Re:Telegram is yet to acknowledge the vulnerabilit

[I'm+New+Around+Here]

"...let along provide a fix for ..." a bug that was just found yesterday. Those lazy bastards!

Except that this actually happens all the time in apps, where the fix is simple and the developer is paying attention.

I don't follow such events (I'm not a programmer), so I'll take your word for it. It still seems a bit overblown to complain the day after someone wrote about the flaw in a blog somewhere.

And this is a particularly pathetic bug. People who don't do input checking or bounds checking are spectacular idiots. What other spectacularly idiotic decisions did they make during development?

This I totally agree with. I can see not doing checks on test code, or for classwork in school. But for any production code, bounds checking and other similar issues should be the default for every programmer. With all the buffer overflow attacks we see, we should expect paid programmers to be more security conscious.

I just googled about it, and came across this discussion on Stackoverflow. It has some good pro/con points.