Virgil Security of Crypto Security Service Providers, Inc., has released a report that raises concerns about the safety of the Telegram Passport.
Telegram Passport is the latest of the telegram functions announced last month, passport, ID card, you can save the identification as driver license in the telegram cloud.
These files are encrypted to authenticate their identity to a third-party service while the user is not leaking personal information. However, Vergil considered this feature to be unsafe at least.
However, Virgil believes that this functionality is not safe at all. First, we use the Secure hashing algorithm 2 (SHA – 512), which is easy to encrypt. Virgil explains that hackers should spend a lot of time guessing each password to protect their passwords. Now, by 2018, you can test hash of about 1.5 billion SHA – 512 with the highest level GPU.
Salt is a way to include random data in your passwords. But even this does not help with SHA-512. Only complex passwords can protect user accounts from hackers.
Virgil says, because it uses SHA-1, the forerunner of SHA-1, the LinkedIn site of the extra employment service that was hacked in 2012. With this attack, the password of 8 million LinkedIn users. has been revealed. A year later, LivingSocial also released 50 million password users in a similar attack using SHA-1’s online market. Therefore, Telegram decided to use this weak password protection system is amazing.
Next, the encoder encrypts the user data and sends it to the cloud. Then, the data is decrypted and re-encrypted, the identity of the user with a third-party service will be verified. The data obtained is not entirely random, and SHA-2 is used again.
Telegram, the service is encrypted end-to-end, he writes in his official blog post that only uses passwords that the user knows. However, the vulnerability in the code makes the user vulnerable to hackers.
In August 2016, hackers revealed the number of Iranian telephones users 15 million. At that time, the customer used SMS to complete the authentication process. Because the telegram passport has confidential information, this could be the target of the hacker. Telegram is dealing with this situation and enhancing security.