Security Company Virgil Security claims that Telegram Passport—a identification document storage application—is susceptible to malicious hackers.
Telegram’s new identification storage application faces harsh criticism after a US-based cryptographic expert exposed the app’s vulnerabilities.
According to Virgil Security, the Telegram Passport fails in safeguarding its users’ information, emphasizing that the app’s password protection measure is open to successful hacking attempts.
The cloud-based instant messaging app launched Telegram Passport last July 26 as an all-in-one storage in which users can upload their identification cards and other related documents. Telegram Passport aims to provide an easier way for its users to comply with several identity authentications and know-your-customer (KYC) processes employed by financial institutions and cryptocurrency-related facilities.
Nevertheless, Virgil Security’s Chief Product Security Officer Alexey Ermishkin pointed out that the users’ important documents stored by Telegram Passport in its cloud remain susceptible to brute force attacks. Although the messaging company used end-to-end encryption in protecting user passwords, Ermishkin argued that the algorithm Telegram uses to encrypt the data is weak enough to disregard the advantages of end-to-end encryption.
Ermishkin, in a post, added:
“End-to-end encryption has become a marketing feature and that is a double-edged sword. Now, when people see ‘end-to-end encrypted,’ they believe that their data will safely be sent to a third party without worries of it being decrypted or tampered with. Unfortunately, Passport users will have a false sense of confidence about the security and privacy of their data as it can be breached due to the weakness of Passport’s password security.”
Because of the absence of a digital signature, passwords serve as the only authenticating factor on Telegram Passport. It is therefore vital that the service provider protects these passwords from malicious third parties. But, as Ermishkin noted, Telegram “Passport’s security disappoints in several key ways.”
Weak Password Security
Virgil Security first praised Telegram for keeping the code of Telegram Passport open for developers to tinker with and to scrutinize. Thanks to that, the team cryptographic expert was able to diagnose what was lacking in the identity storage app.
One of Telegram Passport’s weak points is that it employs an SHA-512 hash function, a seemingly unfit measure for hashing passwords. Virgil Security claimed that one or more high-quality graphics-processing units (GPUs) could brute-force more than 1.5 million SHA-512 hashes per second.
Moreover, Virgil Security found that the encryption keys Telegram Passport produces are not exactly random. According to the post, the first byte of one array is limited to satisfy certain parameters. Ermishkin claimed that because there are specific conditions the byte needs to fulfill, hackers receive a clue as to how to decrypt the encrypted key. As a result, Virgin Security claimed brute force attacks on the encrypted bytes are much faster.
Ermishkin, also co-author of the NoiseSocket protocol, explained:
“We’re calling it ‘almost’ random because it adjusts the first byte of random byte array in a way that the sum of all bytes is 0 mod 239. Telegram seems to have invented their own way of verifying that those secret bytes were decrypted properly. It’s unclear as to why they didn’t use HMAC or AEAD cipher.”
To conclude its report, Virgil Security recommended Telegram Passport to adopt different end-to-end encryption solutions and processes that passed security tests and endured several hacking attempts. With these claims, virtual currency holders are looking forward to the new identity storage app hope that Telegram ramps up its password security measures.