Telegram Passport, a personal identification authorization tool, which was recently released by messenger app is vulnerable to brute force attacks. This is according to a recent report released by Virgil Security, Inc, a cryptographic software and services developer.
The launch of Telegram Passport
At the end of July, Telegram launched Telegram Passport, which is meant to encrypt users’ personal ID information. It then allows users to share the information on their IDs with third parties like crypto wallets, initial coin offerings ICOs or anyone that may need for verification. This information is mainly shared for purposes of complying with know your customer (KYC) regulations.
Telegram Passport uses end-to-end encryption and sends users’ data on the Telegram cloud. The information is then moved to a decentralized cloud. At this point, the information cannot be decrypted.
Protection of passwords
In their research however, Virgil Security has raised concerns over the safety of passwords. Virgil Security says Telegram uses a protocol called which does mean to hash passwords. Because of this, passwords are very vulnerable to brute force attacks. The report further says the passwords would still be vulnerable even if the algorithm is salted. Salting means a random data, which is added for more secrecy. This process is done as the final input and helps extend the length of passwords. This provides an additional layer of protection against attacks.
All encrypted personal data is stored on the Telegram cloud. It is this data that users descripted if they want to authenticate a third party. The data is then re-encrypted and uploaded back to the Telegram cloud. According to the report, these processes expose passwords to even greater risks.
In a statement, the firm said the security of the data on the cloud is dependent on the strength of the password used. This is because brute force attacks can easily break into the hashing algorithm being used.
Early this year, Telegram announced that it had raised $850 million in its second round of ICO. The company said the funds would be used to build the Telegram messenger app as well as a blockchain platform called Telegraph Open Network (TON).