Telegram users are vulnerable to attacks due to programming error allowing anyone to send invisible and over-sized messages on their devices!

Telegram is a cloud-based instant messaging service which allows users to send encrypted messages on platforms like (Android, iOS, Windows Phone, Ubuntu Touch) and desktop systems (Windows, OS X, Linux). The service has 100 million monthly active users. However, recently two Iranian IT security researchers Sadegh Ahmadzadegan and Omid Ghaffarinia found a critical flaw in the app allowing attackers to send anonymous messages by crossing the official set limit for sending messages.

This means that anyone with a slight knowledge of the vulnerability can send over-sized messages to the victims by crossing the minimum limit that is 1 character (1 byte) and the maximum limit is 4096 but due to an error (probably from the programmers) the attacker can take over the size and send massive messages with fake notifications. This vulnerability is similar to the one discovered last year in WhatsApp allowing an attacker to crash anyone’s WhatsApp by sending 4000 smileys at once.

At the time of publishing this article, the security flaw was still impacting Telegram users but, the researchers are trying to report the issue to the app’s developers. Both researchers refrained from publicising any technical details until the flaw is fixed. However, they did some testing and here’s what they found:

“1: The device crashes or just stop working due to lack of space (or memory). 2: Summing up what we’ve said, It’s possible to get up unusually late (perhaps because your phone has crashed and the alarm didn’t work :D) and see that your phone faced with insomnia last night because it has downloaded tens of gigabytes of data (text messages). And the worse part is yet to come: Due to the Telegram policy, It’s not necessary to have a user in your contact list in order to receive a message from him. So an attacker can use an anonymous phone line to carry out the attack. ” 

Currently, there are 20 million Iranians using the app and such critical flaw poses a great danger to the security and privacy for not only local but also for international users.


Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.