Researchers have found what they say is a flaw in Telegram that allows messages of any size to be sent.
The unpatched flaw demonstrated in a proof-of-concept shows how attackers can send mesages of any size over the popular encrypted communications app by skirting restrictions.
Telegram has been contacted for comment.
Iranian researcher Sad Ghaf did not pinpoint the flaw in a bid to prevent others exploiting it, and says he could not find a way to report the flaw to Telegram.
"Due to a programming error [a] sender can gain control of the size of messages and send them with arbitrary length," Ghaf says.
"On the other side [the] victim would receive all incoming messages even if they are too long."
Ghaf and his fellow researchers were able to send a message with 30000 bytes, exceeding the 4096 byte limit, and another which was empty breaching the one byte minimum.
Messages can be sent to anyone without pre-authorisation meaning attackers could drain victim's mobile data allowances, and fill up phone storage with junk data.
The application is the most popular encrypted communications platform in Iran, Ghaf says.®