Telegram Tech Promised In ICO Vulnerable to Attack, Researchers Say
With $1.7 billion in the bank following its initial coin offering (ICO), Telegram has released its first crypto-friendly feature – but security researchers are skeptical.
As detailed in a blog post published today, Virgil Security, a U.S.-based startup, has identified several weaknesses in the new identity verification app, called Passport. While the company praised Telegram for publishing the application's API as open source, allowing the code to be checked by other experts, Virgil Security detailed two problems with the app: how it encrypts data and how it protects stored data.
"Their commitment to openness gives security practitioners the opportunity to review their implementation and, ideally, help improve it," Virgil Security's Alexey Ermishkin wrote on the company's blog, adding:
"Unfortunately Passport's security disappoints in several key ways."
Telegram has never publicly announced or verified the existence of its billion-dollar
ICO. But as documents started to leak earlier this year, it became clear that the company, more widely known for its chat app, aimed to compete with many of the services – from filesharing to encrypted browsing – that crypto startups had already proposed.
Plus, it wanted to bring
blockchain-based payments to the Telegram chat app, which in recent years has become popular among the crypto community.
Payments and identity verification go hand-in-hand, making Passport a natural early offering from the company. Plus, disrupting the digital ID incumbents like Equifax, which keep data in centralized databases vulnerable to breach and abuse, has long been a shared goal of the cryptocurrency community, so it's is a fitting place for Telegram to start.
In its blog post about the new product, Telegram promises that "your identity documents and personal data will be stored in the Telegram cloud using end-to-end encryption. It is encrypted with a password that only you know, so Telegram has no access to the data you store in your Telegram passport."
It goes on to promise that, eventually, this data will be stored in a decentralized fashion, Identity was one of the components of the ambitious blockchain-based system that Telegram promised in its ICO technical whitepaper.
But from the looks of Virgil Security's findings, Telegram needs to go back to the drawing board.