The recently released personal identification authorization tool Telegram Passport from messenger app Telegram is vulnerable to brute force attacks, according to an Aug. 1 report by cryptographic software and services developer Virgil Security, Inc.
On July 26, Telegram announced the launch of Telegram Passport designed to encrypt users’ personal ID information and let them share their ID data with third parties such as initial coin offerings ICOs, crypto wallets, and anyone complying with know your customer (KYC) regulations.
Users’ data is kept on the Telegram cloud using end-to-end encryption, subsequently moved to a decentralized cloud, which cannot decrypt personal data as it is seen as “random noise.” However, in their recent research Virgil Security raised concerns about password protection in the service.
According to Virgil Security, Telegram uses SHA-512, a hashing algorithm that is not meant to hash passwords. This algorithm reportedly leaves passwords vulnerable to brute force attacks, even if it’s salted. In cryptography, a salt is random data added as an extra secret value to the end of the input, which extends the length of the original password, providing some additional protection.
When a user encrypts personal data, it is reportedly uploaded to the Telegram cloud, and when a user needs to confirm authenticity on a third party service, they decrypt that data and re-encrypt it for that service’s credentials. All these factors reportedly contribute to potential exposure of a user’s password hash table to very efficient hacker attacks. The firm further explains:
“The security of the data you upload to Telegram’s Cloud overwhelmingly relies on the strength of your password since brute force attacks are easy with the hashing algorithm chosen. And the absence of digital signature allows your data to be modified without you or the recipient being able to tell."
In March, founders of Telegram, Pavel and Nikolai Durov reported they had raised $850 million in the second round of their ICO aimed at the development of the Telegram messenger app and its own blockchain platform Telegraph Open Network (TON). Later in May, Telegram’s plan to launch an ICO was canceled due to the fact that the messaging app had attracted enough funds during their two private ICO rounds.