Telegram Bug Allows Attackers To Crash Devices, Jack Up Phone Bills

An anonymous reader writes: Researchers have uncovered a vulnerability in Telegram, a popular instant messaging client with over 100M active monthly active users, that attackers could exploit to crash unsuspecting users' devices and jack up their mobile phone bills. To prevent malicious users from abusing the app, Telegram limits text messages to a specific range of characters -- each message must consist of at least one character, and it may not exceed 4,096 characters. But according to Iranian security researchers Sadegh Ahmadzadegan and Omid Ghaffarinia, those limitations can easily be circumvented. The two researchers note in a blog post that a programming error allows a sender to successfully transmit a message with arbitrary length to a receiver. That large file can, in turn, cause the phone to crash or stop working due to a lack of memory. It can also eat up a user's monthly data allotment if they are connected to their mobile network and not Wi-Fi.Telegram is yet to acknowledge the vulnerability, let alone provide a fix for it.

Telegram is yet to acknowledge the vulnerability

[DRJlaw]

Telegram is yet to acknowledge the vulnerability, let alone provide a fix for it.

Hard to acknowledge a bug posted only yesterday on an obscure blog, and published what looks like about 3 hours ago on a news site, when TFA states:

Telegram hasn't even publicly acknowledged the vulnerability after the two researchers found no way of notifying the company about the issue.

Hey researchers, I've found a flaw in your notification process.... you couldn't find this page or this FAQ.