Virgil Security published a report that shows how a Telegram Passport app is vulnerable to brute force attacks. Telegram Passport is a new service from Telegram that allows users to upload and store documents such as their passport, drivers license, bank statements or any other ID document and then share them with third-party services. This is a perfect solution for complying KYC (Know your customer). Many ICOs and other crypto-related services, that desire to verify the user’s identity look for such a solution.
According to Virgil Security, Passport’s security disappoints in several fundamental ways. But the biggest security threat is that Telegram’s password protection uses SHA-512, a hashing algorithm that is not meant for hashing passwords.
Virgil Security, a cryptographic software company stated:
End-to-end encryption has become a marketing feature and that is a double-edged sword. Now, when people see “end-to-end encrypted,” they believe that their data will safely be sent to a third party without worries of it being decrypted or tampered with. Unfortunately, Passport users will have a false sense of confidence about the security and privacy of their data as it can be breached due to the weakness of Passport’s password security.
The sensitivity and value of the documents being stored such as passport, ID documents, other passwords are incredibly high. Unfortunately, Telegram failed to implement a secure solution. End-to-end encryption is essential for your digital security, and if you invest in crypto, you should double check your security solution for your IDs and assets.
There were many speculations at the beginning of the year 2018 if Telegram will launch an ICO (a blockchain platform Telegraph Open Network, TON). Pavel Durov, a co-founder of Telegram, canceled a public ICO in May because they were able to get enough money from private investors.