Unlimited size message vulnerability found in Telegram

News by Max Metzger

Two researchers have found a rather annoying exploit in the Telegram encrypted communications app

A vulnerability in the encrypted messaging app, Telegram, has been disclosed. The vulnerability would allow attackers to send communications of any size over the encrypted messaging system.

The researchers were inspired to probe the messaging app, which is one of the most popular in Iran, when one of their friends told the two he had ‘nothing to hide' when it came to vulnerabilities in the app.

The research blog which found the vulnerability, Sad Ghaf, a compound of the its two founders names, Sadegh Ahmadzadegan and Omid Ghaffarinia, goes into further detail on the exploit. They even made a video, detailing how to perform the attack.


For most users, Telegram blocks the number of requests any individual can make, meaning one cant send lots of messages over a very short period of time. It also does this for size, limiting message to 4096 characters or bytes.

However, according to the researchers, “Due to a programming error in the implementation of this section, [the] sender can get control on the size of messages and send them with arbitrary length. On the other side [the] victim would receive all incoming messages even if they are too long.”

The researchers ended up sending a 30,000 character long message. This might all seem rather benign but a potential attacker could quite easily use up the phone's data or fill up the phone with useless data.

While he doesn't see it as a clear security issue, David Emm, principal security researcher at Kaspersky Lab, told SCMagazineUK.com, “It's a potential way of undermining availability.  By sending large messages, an attacker could (a) clog-up the device, preventing it from performing other tasks (much like a  DDoS attack), (b) take up storage capacity on the device and (c) cost the victim money by using up their network data allowance.”

This is not the first time that holes have been found in the Telegram app, which used to claim to be more secure than its encrypted messaging rival, WhatsApp.

Just this month, the app was shown to be vulnerable to the ss7 bug, which would allow a hacker to pretend to be the owner of a Telegram account.

Late last year, the HomeBrew cryptography used by the app was said to be far weaker than expected. An information security researcher known as ‘the Grugq' wrote at the time that “Telegram is error prone, has wonky homebrew encryption, leaks voluminous metadata, steals the address book, and is now known as a terrorist hangout. I couldn't possibly think of a worse combination for a safe messenger.”

Telegram and WhatsApp were contacted but did not respond in time for publication.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews