
A report about a vulnerability in Telegram - sadghaf
Recently, we found a concerning security bug in the widely-used instant messaging tool: Telegram. In order to explain the criticality of the issue we decided to publish it on our blog.<p>We are security researchers from Iran and as you may know, Telegram holds the position of the most popular instant messaging tool in the middle east (consequently in our country).<p>The blog link: http:&#x2F;&#x2F;www.sadghaf.com&#x2F;
======
dsacco
Please don't yell fire like this. You haven't found any critical severity
vulnerability in Telegram. As written, your report doesn't disclose a
vulnerability at all. What you found is a logic error with no evidence of a
security implication. You're attempting to promote yourself using invalid
findings that, as presented, would be quickly rejected by the Telegram team as
not applicable.

Your video details two findings: 1. the ability to empty a contact's internet
balance by sending very long messages to them and 2. the ability to cause a
contact's client to potentially crash due to an unexpected number of bytes in
a single message.

The first finding is neither a Telegram nor a security issue. Does Twilio have
a critical security vulnerability because I can use it to quickly exhaust a
user's SMS quota for the month? This is an established precedent, and you have
not identified a technical security flaw.

The second finding is a legitimate bug, as there is behavior that is
implemented differently than the documented design goal of the API. However,
you did not provide evidence that this finding can be used to cause a
persistent denial of service. Does the application crash every time a user
opens it, or is this good for one use? This is not a vulnerability unless you
can demonstrate an overflow allowing local memory reads/writes or a persistent
denial of service condition.

This is attention seeking behavior. Publicizing a "critical" vulnerability in
a high profile application based on the flimsy excuse that you couldn't find
an explicit disclosure email address reduces the credibility of responsible
disclosure and legitimate security research. If you had actually bothered to
search instead of rushing to bring your "findings" to notoriety you would have
found security@telegram.org, which is explicitly for security reports. But
that wouldn't have allowed you to make a blog post and submit it to HN, would
it?

The next time you think you've found a vulnerability, don't publicize it and
try to disguise it as a noble gesture by saying you're not going to "pinpoint"
the vulnerability when you clearly walk through the exploitation in your
video. Report your findings directly to the vendor, and if the vulnerability
is valid and a fix is pushed due to your participation, then you can brag on
HN about it.

------
jupenur
I'm not sure you know what "critical" means—this bug definitely isn't it—but
you should probably report it to Telegram instead of posting on HN. You claim
you couldn't find a way to do that, but they have a security@ address [1], so
you can't have looked very carefully.

[1] [https://telegram.org/faq#q-what-if-my-hacker-friend-says-
the...](https://telegram.org/faq#q-what-if-my-hacker-friend-says-they-could-
decipher-telegram-mes)

------
jupenur
An interesting little detail about the authors:
[https://www.fbi.gov/wanted/cyber/iranian-ddos-
attacks](https://www.fbi.gov/wanted/cyber/iranian-ddos-attacks)

------
edward_johnson
Telegram team always say they are too secure, it is interesting that they have
such a critical bug

~~~
alexisJS
They also have a contest for proving secure, have they won the contest?

~~~
edward_johnson
If by contest you mean the link given below, It is just for cracking Telegram
encryption, so I don't think they have won it.

[https://telegram.org/blog/cryptocontest](https://telegram.org/blog/cryptocontest)

