[RichardHeart]

1 point by RichardHeart 44 minutes ago | parent | edit | delete [-] | on: Telegram 0-day vulnerability that can be used to d...

"TELEGRAM'S REPLY ZDNet has reached out to Telegram for comment earlier today, and the company has looked into the issue reported by Hong Kong protesters. "We have safeguards in place to prevent importing too many contacts - exactly to prevent the scenario," a Telegram spokesperson said.

"In fact, our data shows that the bot displayed on the screenshots got banned from further imports after two seconds - and only managed to successfully import 85 contacts (not 10,000)," it said. "Once you get banned from importing contacts, you can only add up to 5 new numbers per day. The rest of the contacts you add will look like they're not using Telegram - even if they are."

However, this ban limit can be bypassed. A determined threat actor like the Chinese state can easily employ multiple bots to exploit this issue, instead of just one, and they'll eventually import the entire phone number sequence they want to cover."