Encrypted messaging app Telegram reportedly contains an unpatched vulnerability that bad actors can exploit to send massive text messages that drive up data charges or cause mobile phones to crash.

Iranian security research blog Sad Ghaf this week reported a unspecified programming error in Telegram that allows senders to transmit a message of arbitrary length. Normally, the app sets text message parameters to between one and 4,096 characters or bytes, but the researchers behind the blog were able to send a text that was over 30,000 bytes long.

Such abuse can cause a phone to crash due to lack of memory, and also cause a recipient to exceed monthly data allowances. An individual does not even need to be in a user's friend list to attack, the blog explained. In February 2016, Telegram announced that it had over 100 million active users.