Telegram, the company known more for its chat app than its ICO recently announced its first crypto-friendly tech called Passport. The company’s ICO has never been made public though it is known to have raised $1.7 billion from the sale of its tokens.
This is according to information garnered from public documents filed by the company with the US Security and Exchange Commission.
However, reports published by a security firm, Virgil Security revealed that the proposed Passport ID verification project has some security flaws.
The US based company said that the new app proposed by Telegram has shown weaknesses bordering on how the app intends to encrypt stored data and how it secures them.
Virgil Security also praised the Telegram for making the API of the proposed ID verification app open source thereby giving security experts the opportunity to assess its codes and prove integrity.
“Their commitment to openness gives security practitioners the opportunity to review their implementation and, ideally, help improve it,” Virgil Security’s Alexey Ermishkin wrote on the company’s blog, adding:
“Unfortunately Passport’s security disappoints in several key ways.”
Although the Telegram ICO was never made public, documents show that the company plans to compete with other fintech startups in fields such as file sharing and secured browsing.
It intends also to introduce crypto-based payments to its messaging app which has become quite popular with the crypto community.
The Telegram “Passport” is not a surprising project since payment and ID verification go hand in hand. Disrupting the traditional digital identification systems such as provided by pioneers like Equifax has been part of the objectives of the decentralized sphere which blockchain represents. Centralized systems are prone to abuse and security threat because data is centrally stored.
In a release about the project, Telegram wrote,
“Your identity documents and personal data will be stored in the Telegram cloud using end-to-end encryption. It is encrypted with a password that only you know, so Telegram has no access to the data you store in your Telegram passport.”
The company said that data storage and protection will be decentralized in the Telegram Open Network (TON) which is one of the most ambitious ICO projects the ecosystem has seen. Identification is one of the integral aspects of TON although from the recent Virgil Security report, the company has more work to do.
In its criticism of the Telegram Passport, Virgil raised an issue with the way Telegram encrypts the passwords on the Passport platform, raising concern about its use of SHA-512.
“It’s 2018 and one top-level GPU can brute-force check about 1.5 billion SHA-512 hashes per second,” they write. It went on to state that a hacker could crack such passwords at the cost of between $5 and $135 each depending on the password strength chosen by the user.
The criticism nevertheless acknowledged that for this to be possible, the hacker would need to hack the Telegram external layer.
“To access the password hashes, the attack would have to be internal to Telegram. The ways that could happen are numerous — insider threat, spearphish, one rogue USB stick, etc,” Virgil Security co-founder Dmitry Dain said.