In late July Telegram messenger released a tool for encrypting users’ personal ID data and for allowing them to share this data with startups dealing with electronic assets and comply with know-your-customer (KYC) rules.
The cryptographic software developer Virgil Security, Inc believes that this Telegram Passport can be hacked.
The messenger keeps its users’ data on the decentralized Telegram cloud that cannot decrypt it, since it is perceived visually as “random garbage.”
Nevertheless, the latest study by Virgil Security has shown weak points concerning password protection in this cloud storage.
At Virgil Security, they believe that Telegram utilizes a protocol not meant to hash passwords. Reportedly, it makes data weak against brute force attacks, even if salt is added to it. For a cryptographer, salt means random information added to the data. It adds extra protection to a password by turning it into a longer combination of symbols.
Lack of digital signature
According to the research, after a Telegram user encrypts his/her personal data, it goes to the Telegram cloud. When they need to confirm their identity for a third-party company or service, the user re-encrypts it for the new credentials.
This, the report insists, makes the password easy to hack. Apparently, the lack of digital signature can help criminals change users’ personal data without them being aware.