Telegram Bug Allows Attackers To Crash Devices, Jack Up Phone Bills (grahamcluley.com) 50
An anonymous reader writes: Researchers have uncovered a vulnerability in Telegram, a popular instant messaging client with over 100M active monthly active users, that attackers could exploit to crash unsuspecting users' devices and jack up their mobile phone bills. To prevent malicious users from abusing the app, Telegram limits text messages to a specific range of characters -- each message must consist of at least one character, and it may not exceed 4,096 characters. But according to Iranian security researchers Sadegh Ahmadzadegan and Omid Ghaffarinia, those limitations can easily be circumvented. The two researchers note in a blog post that a programming error allows a sender to successfully transmit a message with arbitrary length to a receiver. That large file can, in turn, cause the phone to crash or stop working due to a lack of memory. It can also eat up a user's monthly data allotment if they are connected to their mobile network and not Wi-Fi.Telegram is yet to acknowledge the vulnerability, let alone provide a fix for it.
Really? (Score:2)
How to you mess up length checks in this day and age?
Re: (Score:3)
And who is unfortunate enough to be on a "receiver pays" mobile network?
Um... its the same as email. If you download all your email and attachments via mobile data... then you pay for that. That's not some sort of weird backwards receiver pays network, that's how all data plans work everywhere.
Everyone with SMS (Score:2)
Re: Everyone with SMS (Score:1)
Welcome to the USA where you get charged for MTC ans SMS-MT.
This is inconceivable in the EU. Hope the Brits won't have to deal with it.
Re: (Score:2)
Telegram also lets you send pictures.
So... if you want to eat mobile data....
A crash bug/legnth check issue sure... that's a defect that needs to be fixed. But we don't need to imagine new issues too.
Re: (Score:2)
Re: (Score:2)
There's a finite multiplier for any Unicode encoding though. UTF-32 is just 4 bytes per character, hardstop. UTF-8 is 1-6 bytes per character.
Re: (Score:2)
Really? There are non-printing code points (BOM, or left-to-right ordering), but I don't believe there are characters that are made up of multiple code points.
Re: (Score:1)
You have combining characters and modifiers to add arbitrary accents to things, change the locale of flags, change the skin tone of your emojis, and so on and so forth. You really can end of with an arbitrarily long string of code points that are for all practical purposes a single character.
Re: (Score:2)
Interesting. Good to know if I ever need to count characters as a security measure. Although, personally, I lean towards just using a byte count and UTF-8. Messages in Klingon get fewer characters than Japanese get fewer characters than English.
Moot in this case, because he claims to have sent a single message of 380 million 'a' characters.
Re: (Score:2)
Precisely. Its damn easy to prevent this bug. Just add a 168k bytes limit to the messages. Most times it won't matter because there is already the 4k character limit, but in the case of these special unicode characters it will prevent further harm.
Re: (Score:3)
This is basic stuff that's become only more and more common especially on websites. What I've noticed is that a *lot* of sanity checks etc. on web forms are done solely on the client side. The correct way is of course to check all input on both the client *and* server. The former is to alert users that their input is invalid and the latter is to prevent actual abuse.
It's amazing what crap even (or especially) large software vendors put out these days. I come across stupid stuff like this at work all the tim
Re: (Score:3)
Their strange encryption implementation has been criticized for quite a while now and there is still no ubiquitous end-to-end encryption.
The main feature of Telegram that I like is that my phone, desktop, and laptop client are always in sync. Even if some devices are asleep off.
How does one do that with end-to-end encryption? Given that I have several "ends" that I want kept in sync; so that i can pick up conversations where i left off (and review past messages) from any device? For me, that's on of the key features.
Telegram also has the 'secret chat' feature which creates an end-to-end encrypted conversation; and one feature/limitation of t
Re: (Score:2)
Skype has had all of these features and more forever, oh and it handles video.
And it at least can enforce a fucking length check in messages.
And I can actually dial other phones across the world without the need to give away my fucking phone number (which by the way, since Telegram got my number, my incoming unwanted marketing calls have jumped from zero to incessant. Thankfully, it's a low-cost smartphone I got exclusively for testing Telegram, so I know it's them that fucking sold my information out 100%.
Re: (Score:2)
Skype has had all of these features and more forever, oh and it handles video.
Yeah and it has ads. And I don't want video.
which by the way, since Telegram got my number, my incoming unwanted marketing calls have jumped from zero to incessant. Thankfully, it's a low-cost smartphone I got exclusively for testing Telegram, so I know it's them that fucking sold my information out 100%
So presumably all these marketing calls are on the number dedicated to your low cost smartphone that you got exclusively for testing telegram?? I mean... that's the only number Telegram has.
Or maybe the provider of your low cost smartphone sold you out? Because that would never happen.
Right as soon as I saw that, I dropped that bullshit and wiped it from phone and computer.
And I give 2 shits what you use because?
You people jumping ship to new services over established and age-hardened services make me laugh.
I'm sorry, what secure age-hardened app are you using again? Because you can't possibly still be talking about skype?!
For what it's worth, I a
Re: (Score:2)
Re: (Score:2)
Well, that's your problem for trying to use Linux. Skype was never meant for it in the first place.
It syncs everything just fine for me. Droid, fiance's iPhone when I'm using it, Windows XP and Windows 7 computers. It's all there. The only annoying thing about the sync? I sign in on another device, I get all those damned notifications to download the pictures I've already downloaded from another client.
It works perfectly fine here, I don't know what you're doing to screw it up besides using outdated unsuppo
Re: (Score:2)
Re: (Score:2)
"Indeed, Skype wasn't meant for Linux particularly, it was meant for all major platforms, including Linux.'
Untrue. When it first came out, it only supported 2000 and XP. [archive.org]
"I highly doubt that. Login on a new device and try going back more than a month on a non-cloud chat"
Oh, look, I see an option to go back SEVERAL MONTHS. Hell I don't even have to click, I just endlessly scroll and it appears once it gets the data from the server. It works like Twitter's infini-scroll. It's not difficult to use and I can sti
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
That's a valid question and there is no single correct answer on how to implement end-to-end (E2E) encryption in a "distributed" fashion. E2E encryption can be done in various ways, either so that it's device dependent or by utilizing the excellent features of public key infrastructure. Here's a simple, and probably not the best, example on how one could go about with E2E encryption and still have access to message backlog, history and so forth:
1) Create a public-private key pair for each client and use the
Telegram, eh? (Score:2)
So much for older technologies being more secure. Stop.
Telegram is yet to acknowledge the vulnerability (Score:5, Informative)
Hard to acknowledge a bug posted only yesterday on an obscure blog, and published what looks like about 3 hours ago on a news site, when TFA states:
Telegram hasn't even publicly acknowledged the vulnerability after the two researchers found no way of notifying the company about the issue.
Hey researchers, I've found a flaw in your notification process.... you couldn't find this page [telegram.org] or this FAQ. [telegram.org]
Re: (Score:3)
I was wondering about that wording myself.
"...let along provide a fix for ..." a bug that was just found yesterday. Those lazy bastards!
Re: (Score:2)
"...let along provide a fix for ..." a bug that was just found yesterday. Those lazy bastards!
Except that this actually happens all the time in apps, where the fix is simple and the developer is paying attention. And this is a particularly pathetic bug. People who don't do input checking or bounds checking are spectacular idiots. What other spectacularly idiotic decisions did they make during development?
Re: (Score:2)
"...let along provide a fix for ..." a bug that was just found yesterday. Those lazy bastards!
Except that this actually happens all the time in apps, where the fix is simple and the developer is paying attention.
I don't follow such events (I'm not a programmer), so I'll take your word for it. It still seems a bit overblown to complain the day after someone wrote about the flaw in a blog somewhere.
And this is a particularly pathetic bug. People who don't do input checking or bounds checking are spectacular idiots. What other spectacularly idiotic decisions did they make during development?
This I totally agree with. I can see not doing checks on test code, or for classwork in school. But for any production code, bounds checking and other similar issues should be the default for every programmer. With all the buffer overflow attacks we see, we should expect paid programmers to be more security conscious.
I jus
Re: (Score:1)
> you couldn't find this page [telegram.org] or this FAQ. [telegram.org]
in the security research community, releasing a vulnerability while saying they found no way of contacting the company means they found those links, sent messages days ago and were ignored.
Re: (Score:1)
This story is proof the slashdot editors are for sale 100%
Good news! (Score:3)
For a week or so, we'll be able to crash terrorist communications, until they pick another app.
Jack up bill? (Score:2)
Re: (Score:1)
I don't understand how this exploit would affect a phone bill...?
by eating up the data plan if not on an unlimited plan.
Re: (Score:3)
I think the government of Iran would be quite fine with security researchers attempting to break the security of other countries' messengers.