Virgil Security, Inc., a cryptographic services provider, has published a report which raises concerns regarding the security of Telegram Passport.
Telegram Passport is the latest feature introduced by the messaging app last month. It allows users to upload personal identification documents such as passports, identity cards, and drivers licenses to be stored in the Telegram cloud. These documents are encrypted so that users can verify their identities on third-party services without exposing their personal data.
Virgil, however, thinks that this feature is not secure at all.
Firstly, Telegram uses Secure Hashing Algorithm 2 (SHA-512), which is cryptographically weak. Virgil explains that in order to secure passwords, it should take a hacker more time to guess each password.
“It’s 2018 and one top-level GPU can brute-force check about 1.5 billion SHA-512 hashes per second.”
Salting is a way to include random data in a password; , however, even that won’t help in SHA-512’s case. Only a strong password will keep a users’ account safe from brute force attacks.
Virgil added that employment services website LinkedIn was hacked in 2012 since it used SHA-2’s predecessor, SHA-1. The attack exposed the passwords of 8 million LinkedIn users. Next year, online marketplace LivingSocial, which also used SHA-1, lost 50 million passwords in a similar attack. Hence, it is surprising that Telegram decided to use such a weak password protection system.
Secondly, Telegram claims that it encrypts user data and then sends it to the cloud. The data is then decrypted and re-encrypted to confirm the user’s identity on the third-party service. The data obtained is not completely random and uses SHA-2 once again. In addition to that, the app doesn’t include the option of a digital signature, and “the absence of digital signature allows your data to be modified without you or the recipient being able to tell.”
On its official blog post, Telegram wrote that the service was end-to-end encrypted and used a password only the user knew. However, this research show that the loopholes present in the codes makes the user vulnerable to hackers. Some of the alternatives provided by Virgil include SCrypt, BCrypt, Argon2, BrainKey and Pythia.
In August 2016, hackers exposed the phone numbers of 15 million Iranian Telegram users. Back then, a user authentication system that used SMS to complete the process resulted in the attack. Since Passport holds sensitive information, it may already be targeted by hackers. It is now up to Telegram to handle the situation and improve the security of this “high profile product”.