From the very moment Telegram launched Telegram Passport – a new personal identification tool – most knew that it would soon be targeted from a security standpoint. While Telegram Passport has yet to be breached, it’s safeguard measures have already been called into question. Leading cryptographic software developer Virgil Security has already conducted a series of reports, finding that Telegram Passport is vulnerable to what it considers to be “brute force attacks.” It’s safe to say that this is not the news that Telegram wanted to hear in the wake of its launch.
Already Under Pressure
We’ve previously looked at Telegram Passport and what it will potentially mean for the storage and sharing of personal ID data. The entire purpose of Telegram Passport is to make it easier for anyone to comply with know your customer practices when engaging in crypto wallets, crypto exchanges, and ICOs.
All user data is held within the Telegram cloud, which makes use of end-to-end encryption. When required, this data is shifted to a decentralized cloud, with this only working to heighten the level of data security – or at least that’s the idea. While Telegram Passport arrived with plenty of hype, Virgil Security has already been able to pick holes in the service, raising concerns over password protection specifically.
Hashed and Salted
Virgil Security’s analysis of Telegram revealed that the platform uses SHA-512, but this hashing algorithm isn’t meant to hash passwords. What this means for the average user is that – even if the password is “salted” – it’s left susceptible to brute force attacks. In the world of cryptography, the idea of “salting” a password relates to adding random data to it – usually extending a password length to outside parties, making it tougher to figure out.
Before a user uploads data to the Telegram cloud, it’s encrypted in order to keep prying eyes at bay. Then, for it be used by a third-party service, the data is decrypted and encrypted once again to meet that particular service’s security credentials. All of these measures should put a user’s password under a digital lock and key, but instead it’s potentially exposing passwords to efficient hackers that know how to carry out brute force attacks.
Taking the time to explain its findings, Virgil Security said, “The security of the data you upload to Telegram’s Cloud overwhelmingly relies on the strength of your password since brute force attacks are easy with the hashing algorithm chosen. And the absence of a digital signature allows your data to be modified without you or the recipient being able to tell.”
Picking Up the Pace
Telegram has been moving full-steam ahead in recent months. Its ICO – TON – raised a staggering $850 million through a follow-up round of funding, which easily makes it the biggest ICO of all-time in terms of pre-sale value. This funding will be used to further develop Telegram and its dedicated blockchain plans. However, not long after smashing through its ICO funding targets, Telegram’s public ICO launch was pulled – with tokens now strictly limited to pre-sale purchasers.
Has Telegram Slipped Up?
The emergence of TON, the arrival of Telegram Passport, and the continued popularity of Telegram as a messaging service – all this means that Telegram has a huge amount on its plate in 2018. While this is a positive thing in general, it’s seen some important security measures slip through the cracks – at least as far as Telegram Passport is concerned.