Telegram recently launched the Telegram Passport, which allows you to store your real-world IDs (or documents) online for easy sharing with services that require you to prove your real identity.
However, recent reports suggest that the personal identification authorization tool is actually quite vulnerable to brute force attacks.
According to a report by cryptographic software and services developer Virgil Security, Inc., users’ data is kept on the Telegram cloud using end-to-end encryption, subsequently moved to a decentralized cloud, which cannot decrypt personal data as it is seen as “random noise.”
However, Telegram uses SHA-512, a hashing algorithm that is not meant to hash passwords. This algorithm reportedly leaves passwords vulnerable to brute force attacks, even if they are salted.
For those of you unaware, a salt is random data added as an extra secret value, which extends the length of the original password, providing some additional protection.
It’s 2018 and one top-level GPU can brute-force check about 1.5 billion SHA-512 hashes per second. That means that ten such GPUs (a small cryptocurrency mining farm) can check each and every 8 char password from a 94 char alphabet in 4.7 days! That’s $135/password in the worst-case scenario, using US average electricity costs for the calculation. In practice though, this number can go down to $5/password or even less, given people’s choices of password complexity.
To sum things up, Telegram Passport is a great tool which has been let down due to its security flaws. As the report itself concludes, “the security of the data you upload to Telegram’s Cloud overwhelmingly relies on the strength of your password since brute force attacks are easy with the hashing algorithm chosen”.
