Research: Telegram Passport Is Vulnerable to Brute Force Attacks

Published at: Aug. 2, 2018

The recently released personal identification authorization tool Telegram Passport from messenger app Telegram is vulnerable to brute force attacks, according to an Aug. 1 report by cryptographic software and services developer Virgil Security, Inc.

On July 26, Telegram announced the launch of Telegram Passport designed to encrypt users’ personal ID information and let them share their ID data with third parties such as initial coin offerings ICOs, crypto wallets, and anyone complying with know your customer (KYC) regulations.

Users’ data is kept on the Telegram cloud using end-to-end encryption, subsequently moved to a decentralized cloud, which cannot decrypt personal data as it is seen as “random noise.” However, in their recent research Virgil Security raised concerns about password protection in the service.

According to Virgil Security, Telegram uses SHA-512, a hashing algorithm that is not meant to hash passwords. This algorithm reportedly leaves passwords vulnerable to brute force attacks, even if it’s salted. In cryptography, a salt is random data added as an extra secret value to the end of the input, which extends the length of the original password, providing some additional protection.

When a user encrypts personal data, it is reportedly uploaded to the Telegram cloud, and when a user needs to confirm authenticity on a third party service, they decrypt that data and re-encrypt it for that service’s credentials. All these factors reportedly contribute to potential exposure of a user’s password hash table to very efficient hacker attacks. The firm further explains:

“The security of the data you upload to Telegram’s Cloud overwhelmingly relies on the strength of your password since brute force attacks are easy with the hashing algorithm chosen. And the absence of digital signature allows your data to be modified without you or the recipient being able to tell."

In March, founders of Telegram, Pavel and Nikolai Durov reported they had raised $850 million in the second round of their ICO aimed at the development of the Telegram messenger app and its own blockchain platform Telegraph Open Network (TON). Later in May, Telegram’s plan to launch an ICO was canceled due to the fact that the messaging app had attracted enough funds during their two private ICO rounds.

Tags
Blockchain
Security
Telegram
Encryption
Related Posts
Zoom Will Offer End-to-End Encryption to All Users
On June 17, the popular video conference app, Zoom, officially announced that end-to-end encryption, or E2EE, has finally arrived for their software. It will be provided to both free and paid users, so long as their account has passed the company’s verification process. According to the announcement, during the beta phase that will start from July, users should verify their phone numbers via a text message. The aim of this step is to prevent the mass creation of abusive accounts. Zoom commented: “We are confident that by implementing risk-based authentication, in combination with our current mix of tools - including …
Technology / June 17, 2020
Pavel Durov Denies He’s Selling Telegram Following TON Failure
Pavel Durov, CEO of the popular encrypted messaging platform, Telegram, has denied reports that the firm is preparing to sell the company after the failure of Telegram’s blockchain project. According to an Aug. 5 report by local tech publication iXBT, Russia’s internet company Mail.ru is one of the parties interested in acquiring Telegram. Another is an as yet unidentified Russian billionaire. The information was reportedly shared by Russia-based trader and analyst, Kirill Promzin. As reported by iXBT, Promzin predicted Bitcoin’s 2017 bull run back in 2012, even calling the asset’s eventual high of $20,000. Shortly after the iXBT’s report was …
Blockchain / Aug. 5, 2020
How Blockchain Technology and Metadata Shredding Can Usher in a New Era
It has been nearly seven years since Edward Snowden blew the whistle on highly classified global surveillance programs, inciting a national conversation about privacy in the digital age. One of these revelations was that the NSA had access to the email content of Google users and the ability to map anyone’s cell phone location. It’s now been two years since the Cambridge Analytica scandal came to light, revealing that the company had harvested Facebook user data and used it to manipulate for the United States presidential election. In 2018, Facebook also admitted that it let Netflix and Spotify access users’ …
Blockchain / March 6, 2020
What Will Be the Early Privacy Impact of Secure Multiparty Computation?
Currently, one of the most rigorously examined corners of the surging cryptography space, secure multiparty computation, or sMPC, is widely considered a viable solution to many practical situations in the real world. The concept has some promising implications ranging from privacy to scalability and efficiency, and it’s lasting impact lay outside the purview of only blockchain technology. However, many crypto and blockchain platforms are among the early pioneers in actively applying the technology to finance, advertising, insurance and other industries. “The beauty of multi-party protocols is that they use a rich body of tools and sub-protocols, some of which have …
Blockchain / March 29, 2020
Telegram Reveals Personal ID Verification Tool for Sharing Data with ‘Finance, ICOs’
The crypto and blockchain industry’s go-to encrypted messenger app Telegram has released a personal identification authorization tool, according to an official statement published July 26. The tool, dubbed Telegram Passport, reportedly encrypts a user’s personal ID information and let’s users securely share their ID data with third parties, which the Telegram post elaborates on as “finance, ICOs, etc.” According to the post, users’ ID data will currently be stored on the Telegram cloud, but “In the future, all Telegram Passport data will move to a decentralized cloud.” The new tool is currently integrated with digital payment operator ePayments, which Telegram …
Blockchain / July 28, 2018