Telegram Passport Is Vulnerable to Brute Force Attacks
August 2, 2018
The newest project of the Telegram Messenger, Telegram Passport, that is aimed at storing user identities, is vulnerable to hackers attacks. Virgil Security conducted a study and found, that passwords of Telegram Passports can be hacked by brute force attacks.
About a week ago, the Telegram team announced the launch of Telegram Passport. The goal of the project is to encrypt personal identities of users, allowing them to easily undergo KYC, that would make it easier to participate in ICOs, register digital wallets, and use other cryptocurrency services.
Users data is stored in Telegram's cloud with the use of end-to-end encryption. Subsequently, the data is moved to a decentralized cloud and cannot be decrypted. However, Virgil Security says, that having only one password to log in to the service is far from enough to keep the data safe.
The company said in the report, that Telegram utilizes the SHA-512 hashing algorithm for passwords. However, this algorithm is not meant for passwords and is vulnerable to brute force attacks. Even if the amount of symbols in the password is increased by password salting, it still can be brute forced by experienced hackers.
Earlier this year Telegram conducted 2 ICOs and raised $1.7 billion for their Telegram Open Network (TON).