Slashdot Mirror

← Back to Stories (view on slashdot.org)

Telegram Bug Allows Attackers To Crash Devices, Jack Up Phone Bills (grahamcluley.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: Researchers have uncovered a vulnerability in Telegram, a popular instant messaging client with over 100M active monthly active users, that attackers could exploit to crash unsuspecting users' devices and jack up their mobile phone bills. To prevent malicious users from abusing the app, Telegram limits text messages to a specific range of characters -- each message must consist of at least one character, and it may not exceed 4,096 characters. But according to Iranian security researchers Sadegh Ahmadzadegan and Omid Ghaffarinia, those limitations can easily be circumvented. The two researchers note in a blog post that a programming error allows a sender to successfully transmit a message with arbitrary length to a receiver. That large file can, in turn, cause the phone to crash or stop working due to a lack of memory. It can also eat up a user's monthly data allotment if they are connected to their mobile network and not Wi-Fi.Telegram is yet to acknowledge the vulnerability, let alone provide a fix for it.

7 of 50 comments (clear)

  1. Re:Really? by vux984 · · Score: 2

    And who is unfortunate enough to be on a "receiver pays" mobile network?

    Um... its the same as email. If you download all your email and attachments via mobile data... then you pay for that. That's not some sort of weird backwards receiver pays network, that's how all data plans work everywhere.

  2. Telegram is yet to acknowledge the vulnerability by DRJlaw · · Score: 4, Informative

    Telegram is yet to acknowledge the vulnerability, let alone provide a fix for it.

    Hard to acknowledge a bug posted only yesterday on an obscure blog, and published what looks like about 3 hours ago on a news site, when TFA states:

    Telegram hasn't even publicly acknowledged the vulnerability after the two researchers found no way of notifying the company about the issue.

    Hey researchers, I've found a flaw in your notification process.... you couldn't find this page or this FAQ.

  3. Re:Telegram is yet to acknowledge the vulnerabilit by I'm+New+Around+Here · · Score: 2

    I was wondering about that wording myself.

    "...let along provide a fix for ..." a bug that was just found yesterday. Those lazy bastards!

    --
    If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
  4. Good news! by Applehu+Akbar · · Score: 2

    For a week or so, we'll be able to crash terrorist communications, until they pick another app.

  5. Re:Really? by Sax+Russell+5449D29A · · Score: 2

    This is basic stuff that's become only more and more common especially on websites. What I've noticed is that a *lot* of sanity checks etc. on web forms are done solely on the client side. The correct way is of course to check all input on both the client *and* server. The former is to alert users that their input is invalid and the latter is to prevent actual abuse.

    It's amazing what crap even (or especially) large software vendors put out these days. I come across stupid stuff like this at work all the time. Many of these are so serious that they pose a risk to the entire company network. Criticism of such practices is often met with silence or ignorance because thorough coding costs money (though system penetrations or failures often cost a lot more).

    Regarding Telegram, I think it's good there's competition in messaging apps. but they've seriously fallen behind as of late. Their strange encryption implementation has been criticized for quite a while now and there is still no ubiquitous end-to-end encryption.

    --
    -SR
  6. Re:Really? by vux984 · · Score: 2

    Their strange encryption implementation has been criticized for quite a while now and there is still no ubiquitous end-to-end encryption.

    The main feature of Telegram that I like is that my phone, desktop, and laptop client are always in sync. Even if some devices are asleep off.

    How does one do that with end-to-end encryption? Given that I have several "ends" that I want kept in sync; so that i can pick up conversations where i left off (and review past messages) from any device? For me, that's on of the key features.

    Telegram also has the 'secret chat' feature which creates an end-to-end encrypted conversation; and one feature/limitation of that is that it then only goes between the 2 devices -- what with it being "end-to-end encrypted" not having it delivered to additional 'ends' seems implied.

    So I can have either. I'm not sure why that's called "strange"?

    Maybe I've missed something though that you are critical of?

  7. Re:"Iranian security researchers" by Rakarra · · Score: 2

    I think the government of Iran would be quite fine with security researchers attempting to break the security of other countries' messengers.