A few days before, Telegram team released Passport, an identity verification app, whose details were covered by Cointrust in detail. The crypto-friendly app, however, has received a negative review from Virgil Security, a US based security research firm.
Virgil Security, in its blog post, stated that it has discovered several vulnerabilities in the identity verification app. Virgil, however, admired Telegram for making the project as open source, allowing cyber security experts to audit the code. In its report, Virgil mainly pointed out two security related issues: the manner in which the app encrypts data and how the stored data is secured.
Virgil Security’s Alexey Ermishkin wrote as follows in the company’s blog “Their commitment to openness gives security practitioners the opportunity to review their implementation and, ideally, help improve it. Unfortunately Passport’s security disappoints in several key ways.”
Telegram never stated that it is going to raise funds through ICO. However, the leaked documents indicated that the company was aiming to offer services such as file sharing and encrypted browsing, which other startups has already proposed. The company also wanted to introduce blockchain-based payments within its popular chat app.
Wherever there is money transaction involved, identification of parties in some form or the other will be involved. To facilitate that process, Telegram launched the Passport project. At the same time, Telegram also wanted to disrupt traditional identity verification service providers such as Equifax, which maintain user profile in centralized databases that are prone to hacking.
While explaining about Passport in its blog post, Telegram guarantees that “identity documents and personal data will be stored in the Telegram cloud using end-to-end encryption. It is encrypted with a password that only you know, so Telegram has no access to the data you store in your Telegram passport.”
However, the report issued by Virgil Security means that Telegram has to remove the bugs in the code.
Brute force technique
Highlighting the fact that Telegram uses SHA-512 to hash passwords, Virgil Security said “It’s 2018 and one top-level GPU can brute-force checks about 1.5 billion SHA-512 hashes per second.” Furthermore, Virgil Security states that as long as there are enough computers available, each passwork can be easily broken for a small sum of between $5 and $135. Virgil, however, acknowledges that an attacker must first of all breach Telegram’s security ring.
Virgil Security co-founder Dmitry Dain said
“To access the password hashes, the attack would have to be internal to Telegram. The ways that could happen are numerous — insider threat, spearphish, one rogue USB stick, etc.”
If millions of users start using the service, then the database will easily become an attractive target.
Unsigned data issue
The other vulnerability pointed out by Virgil is that the data uploaded to Passport isn’t signed. Through cryptographic signature, it is possible to confirm the user who loaded the data and guarantee that it has not been tampered. Without a crypto signature, data can be changed and identification is impossible.
The Virgil Security argues
“Now, when people see ‘end-to-end encrypted,’ they believe that their data will safely be sent to a third party without worries of it being decrypted or tampered with. Unfortunately, Passport users will have a false sense of confidence.”
The crypto community is hopeful that Telegram sorts out the issues pointed out by Virgil security soon.