Telegram passport has password security flaws

Image for post
Image for post

Just a few days back we wrote about the new Telegram passport that would allow users to upload their documents once, then instantly share your data with services that require real-world ID (finance, ICOs, etc.).

Now we find that Virgil Security Inc., a cryptographic software and services developer has just reported that it is flawed and is vulnerable to a “brute force attack.”

Disappointing security

Its statement says: “Unfortunately Passport’s security disappoints in several key ways and the biggest concern is around password protection. Passwords are the underlying data protection mechanism in the Passport product. Telegram states that “Your identity documents and personal data will be stored in the Telegram cloud using End-to-End Encryption,” but they’re using SHA-512, a hashing algorithm that is not meant for hashing passwords.”

Virgil Security also points out that the problems that have already been experienced with SHA-1. Back in 2013, LivingSocial lost 50 million passwords using the hashing algorithm and LinkedIn lost 8 million passwords in 2012 using the same tool.

Not enough ‘salt’!

Telegram claims that users’ data is kept on the Telegram cloud using end-to-end encryption, subsequently moved to a decentralized cloud, which cannot decrypt personal data as it is seen as “random noise.” It also says that SHA-512 has been “salted”, which in cryptographic terms means “a salt is random data added as an extra secret value to the end of the input, which extends the length of the original password, providing some additional protection.”

However, Virgil says the added ‘salt’ is not enough to prevent a brute force attack on passwords in particular. The security firm explained: “The security of the data you upload to Telegram’s Cloud overwhelmingly relies on the strength of your password since brute force attacks are easy with the hashing algorithm chosen. And the absence of digital signature allows your data to be modified without you or the recipient being able to tell.”

So far, Telegram has not commented on Virgil Security’s findings. Perhaps the team is too busy working on a solution.

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store