Very large messages sent through Facebook's chat client can make applications and devices crash in a form of denial-of-service attack, a security researcher has discovered.
"It has been possible to disconnect 3 different testing users (3 out of 3) by sending big enough messages, one of them reported that his tablet restarted after the reception," Buenos Aires, Argentina-based security researcher Chris Russo wrote on the Full Disclosure mailing list.
"The chat module, which at this moment I can't use since it looks like I have been blocked," Russo wrote, "doesn't have any kind of limit in the amount of characters that can be sent."
The exact message that caused the denial-of-service attack hasn't been made public, but Russo did post the code he used with the message deleted.
In comments attached to his posting, Russo wouldn't confirm how big his messages were. He said he kept increasing the sizes by 1,000 characters each time until the exploit worked.
As of this writing, Facebook has not commented on the issue. Russo noted that it took Facebook six weeks to reply last time he alerted them to a security flaw.
The attacks don't appear to cause any permanent damage to device hardware, but they are likely to lead to aggravation, frustration and lost productivity for users.
Follow Ben on Twitter.