Telegram has launched the Telegram Passport feature recently for its platform. The Telegram Passport app allows a user to store their real-world documents and IDs online. This tool allows the sharing of IDs or documents with the services which require a user to prove their real identity. The feature surely comes handy while registering on a new website, however, the data privacy had been a concern among the users from the beginning.
Now, some new reports are suggesting that the Telegram's personal identification authorization tool is vulnerable to brute force attacks, which is a major concern for the users. The report comes from the cryptographic software and service developer Virgil Security, Inc. The report suggests that a user's data is stored on the Telegram cloud by using an end-to-end encryption. However, the data is now moved to the decentralized cloud which is unable to decrypt the personal data and identifies the data as "random noise".
Telegram currently utilizes SHA-512 which is a hashing algorithm. The SHA-512 is not designed to hash the passwords and it is said to leave the password vulnerable to the brute force attacks despite the fact that they are salted. For our readers who are unaware of the sale process, we would like to add that a salt is a random data that is added as an extra secret value and it extends the length of the original password. This, in turn, provides some additional protection to the data.
"It's 2018 and one top-level GPU can brute-force check about 1.5 billion SHA-512 hashes per second. That means that ten such GPUs (a small cryptocurrency mining farm) can check each and every 8 char password from a 94 char alphabet in 4.7 days! That's $135/password in the worst-case scenario, using US average electricity costs for the calculation. In practice though, this number can go down to $5/password or even less, given people's choices of password complexity.
To cut it short, the Telegram Passport is a useful tool, however, due to its security flaws, the feature might lose its popularity among the users. The report from Virgil Security, Inc, also mentions that "the security of the data you upload to Telegram's Cloud overwhelmingly relies on the strength of your password since brute force attacks are easy with the hashing algorithm chosen".
Recently, Telegram has also introduced a new update for its mobile app for Android and iOS platforms. The new update brings a number of updates for both the platforms; however, a couple of features are exclusively available for the Android platform, read the complete story here.