Virgil Security, Inc., a cryptographic services provider, has revealed a report which shows issues relating to the security of Telegram Passport.
Telegram Passport is the most recent feature launched by the messaging app in July. It enables users to upload personal identification documents including passports, identity cars, and drivers’ licenses to be stored in the Telegram cloud. These documents are encrypted allowing users to verify their identities on third-party services without revealing their personal data.
However, in the view of Virgil, this feature is not safe at all.
To begin with, Telegram uses Secure Hashing Algorithm 2 (SHA-512), which is cryptographically vulnerable. Virgil notes that for passwords to be secure, it should take a hacker more time to guess each password.
“It’s 2018 and one top-level GPU can brute-force check about 1.5 billion SHA-512 hashes per second.”
Salting is a method used to add random data in a password, but even that is not a solution in the case of SHA-512. Only a strong password will protect users’ account from brute force attacks.
Virgil went on to explain that employment services website LinkedIn was hacked back in 2012 because it used SHA-2’s predecessor, SHA-1. The attack revealed the passwords of 8 million LinkedIn users. After that, online marketplace LivingSocial, which also used SHA-1, lost 50 million passwords in a similar attack. Therefore, it is shocking that Telegram chooses to use such a weak password protection system.
Furthermore, Telegram states that it encrypts user data and then sends it to the cloud. After that, the data is then decrypted and re-encrypted to confirm the user’s identity on the third-party service. The received data is not totally random and uses SHA-2 again. In addition to that, the app does not have the alternative of a digital signature, and “the absence of digital signature allows your data to be modified without you or the recipient being able to tell.”
Telegram noted in its official blog post that the service was end-to-end encrypted and used a password only known to the user, yet, this research indicates that the issues are present in the codes makes the user susceptible to hackers. Some of the options offered by Virgil include Scrypt, BCrypt, Argon2, BrainKey, and Pythia.