Virgil Security, a startup that provides cybersecurity, revealed several vulnerabilities in the recently introduced Telegram Passport. Based on the results of the research, experts are skeptical about the security features of the Telegram Open Network.
Plans to launch the Passport application for user authorization were announced by Telegram developers during the ICO when the company attracted a record amount of investments - $1.7 billion. On June 26, the messenger team introduced a new service for storing and safely sending personal identification documents, which immediately drew the attention of hackers and digital security experts.
Virgil Security was one the pioneer to start auditing the open source code of the service and the first one reporting two obvious security problems: incorrect data encryption and vulnerability of the information storage mechanism.
"Unfortunately Passport’s security disappoints in several key ways", - Alexey Ermishkin, a leading cryptographer from Virgil Security, wrote in the company's blog.
In its Passport announcement, Telegram team promised end-to-end data encryption and decentralized storage of information in the cloud. However, according to Virgil Security research, Passport is far from perfect.
First, the cloud for storage is not decentralized and is currently stored on company servers. As soon as millions of users start uploading their personal data to the new service, Telegram will instantly become a tasty morsel for hackers. Intruders could use internal services inside the company and plug a simple USB-flash drive into a server with a virus that performs data unloading.
Secondly, the information uploaded to Passport is not signed by cryptographic encryption keys. Without a digital signature, it is impossible to establish the data owner, as well as the fact of their invariance. In view of this vulnerability, a hacker who has remained unnoticed can easily change information in whole or in part.
‘"End-to-end encryption has become a marketing feature and that is a double-edged sword. Now, when people see “end-to-end encrypted” they believe that their data will safely be sent to a third party without worries of it being decrypted or tampered with. Unfortunately, Passport users will have a false sense of confidence about the security and privacy of their data as it can be breached due to the weakness of Passport’s password security.“'- Ermishkin stated in the research.
WHY IS IT IMPORTANT?
1. Telegram has proved itself as an instant messenger that refuses to transmit data about its users to the authorities. “Freedom and privacy”- are the two main values the company is standing for. This is why Telegram is still blocked by the Russian government for failure to cooperate. Earlier it was blocked in Iran, China, Saudi Arabia, Afghanistan and Indonesia.
2. Users all around the world trust Pavel Durov’s development, as evidenced by prematurely closedICO.
3. Telegram passport was specifically designed to securely store personal documents and verify user’s identity. Its vulnerability will be a feast for hackers.