Newly released Telegram messenger Passport, as it turned out vulnerable to brute force attacks. So says the company Virgil Security, Inc., which operates in the field of cryptographic software and services.
July 26 Telegram announced the launch of the Passport Telegram intended for the encryption of personal information of users. The service allows you to share your credentials with third parties such as ICO projects cryptocurrency wallets and other organizations who have to adhere to KYC rules.
User data are stored in the Telegram cloud using end-to-end encryption, and then enter the decentralized cloud. Further, if the user needs to grant access to this data to any third companies, they just need to enter your password. However, in their recent study, Virgil Security expressed concern over such protection.
According to Virgil Security, Telegram uses SHA-512 hashing algorithm that is not designed for password hashing. This algorithm makes the passwords vulnerable to brute force attacks, even if they are mixed with random data.
In cryptography, such additional data is added for additional protection.
The security of the data you upload to the cloud, Telegram, greatly depends on the complexity of your password as attacks a brute-force search is quite effective for crack this hash algorithm. And the lack of a digital signature allows, provided that there is a password, change your information without your participation.
In Virgil Security claim that the “cost” of such an attack would be $ 5 to $ 135 for the password. However, the company also acknowledge that such an attack can only be performed with access to the internal structure of the Telegram, and this can be done through phishing attacks or using social engineering techniques.
In March, the founders of Telegram, Pavel and Nikolai Durov said that in the second round of its ICO they managed to collect $ 850 million, which will be used to develop your own blockchain platform Telegraph Open Network (TON).