A flaw in the popular Telegram Messenger app that allows attackers to crash devices and run up wireless data charges is being disputed by the app maker who calls the claims false.

According to two Iranian-based researchers, Sadegh Ahmadzadegan and Omid Ghaffarinia, Telegram users are vulnerable to attacks via specially crafted messages that can bypass size limits and crash devices that receive the messages. Additionally, researchers claim if Telegram users are using paid and metered cellular data plans, those malicious messages could also be costly to recipients’ because data plans are depleted and possible overage charges are incurred.

Telegram Messenger is a messaging service that combines features similar to WhatsApp and Snapchat used by an estimated 100 million users worldwide. The secure messaging service uses advanced cryptography affording users a secure platform to swap private messages, images and file attachments.

According to a blog post outlining their research, Ahmadzadegan and Ghaffarinia, detail their discovery:

“Assuming that each ASCII character is one byte long, attacker can send multi-million-character long strings to victims (or just a null message to be funny!) and the victim would receive the message without taking a scratch!? It’s like downloading a large file without accepting to receive it.”

Regarding claims by the Iranian researchers, Telegram’s Markus Ra told Threatpost that the allegations were “click bait fear mongering” on the part of the researchers.

Both Ahmadzadegan and Ghaffarinia, who co-authored the research on the Telegram flaw, self-identify themselves as two of seven accused Iranian hackers indicted by the U.S. Justice Department in March for state-sponsored hacking of U.S. networks and targeting U.S. industries.

According to the indictment, Ahmadzadegan and Ghaffarinia are accused of working for the Iranian Revolutionary Guard Corps and carried out DDoS attacks against 46 U.S. financial institutions.

Both researchers fall short of pinpointing the precise vulnerability, they say, because the flaw still exists and has not been patched by Telegram. But they say, the specially crafted messages are large enough to crash a smartphone by over utilizing the device’s memory. The two researchers published a proof concept video that claims to demonstrate the vulnerability that shows how an attacker can send more than 256 MB of data in just a few minutes to a Telegram recipient.

More troubling, researchers claim, is the fact Telegram policy allows messages to be swapped between users outside of contact lists.

“The server doesn’t allow text messages larger than 35 KB (the same size as two standard Telegram messages or a small photo),” Ra wrote to Threatpost in an email interview. “The sent message may look arbitrarily long – but the received message always arrives truncated by the server.”

Both researchers did not respond to Threatpost requests for comment.

Categories: Hacks, Mobile Security, Vulnerabilities