Habr User Found Out How to Hack Telegram Passport

The vulnerability allows to steal users' personal data
01 August 2018   281

The user of Habr, one of the largest Russian-speaking IT media, under the nick Scratch was able to find out a vunerability in Telegram Passport, an ID service from the developers of popular messanger. The vulnerability allows to steal users' personal data. It is caused by the encrypting algorithms, which are used by the solution.This is reported by Security Lab.

As reported, in fact, the encryption in Telegram Passport is not end-to-end in the usual sense, but a specially developed algorithm. Encrypted personal data and an almost random cryptographic key, as well as a hash from personal data, mixed with random bytes, are transmitted to the cloud storage. Scratch says that this information is enough to conduct a successful brute-force attack and to steal personal data of users of the service.

This is by no means a "random noise", it has everything necessary, including an encryption key protected by password. And it allows you to get to user data much, much faster than sorting out all possible combinations of AES keys (2 ^ 256). Also, such mechanisms invented by the authors of Telegram as a validation of the key with the help of the sum of bytes, the involvement of the data itself in the formation of the key of their own encryption and the data hash instead of HMAC are also highly questioned.
 

Scratch

User, Habr

The developer described in detail all the algorithms that the service uses to provide encryption, and also described an approximate plan for using bruteforce attack to hack the service. In addition, he cited several services that use "real" end-to-end encryption. Among them - the messengers Signal and Whatsapp.

In addition, the security expert noted that the speed of hacking depends on the length of the user's password. For protection, he proposed to come up with a complex password longer than 8 characters, which, in his opinion, uses a very small number of users.

The tool for fast authentication and storage of user data Telegram Passport officially came out on July 26, 2018. It has already been criticized for security policy by Anton Rosenberg, the former colleague of the creator of the Telegram, Pavel Durov.

Cloudflare to Develop IPFS Gateway

According to the developers, new gateway will allow to create P2P based websites
20 September 2018   215

Cloudflare told about the IPFS gateway, which will allow creating sites based on P2P network. The company said that access to content will be done without having to install special software on the devices.

As a technology feature, Cloudflare experts note decentralization. Using a standard network scheme with servers involves physical storage of data in one place. Hacking the server or damage to communications as a result of an emergency (for example, a natural disaster) will lead to inaccessibility of information or its loss. The same is threatened with information if the server owner has decided to refuse it.

Cloudflare Network
Cloudflare Network

The IPFS gateway combines computers, on each of which some information is stored, to the worldwide network. Therefore, the inaccessibility of one computer does not mean that the content can not be viewed or downloaded. Therefore, the key differences are two:

  1. With IPFS, anyone can freely post information instead of storing it on remote servers and paying for their services.
  2. Requests for access to data are carried out using cryptographic hashing, rather than by IP address. The query data is converted to a series of letters and numbers, by which the system finds the required files. For example, the query for any information will not like "get information that is located at IP address 93.184.216.34", but the kind "get information with hash sum QmXnnyufdzAWL5CqZ2RnSNgPbvCc1ALT73s6epPrRnZ1Xy". This hash sum is part of the desired file and is on several computers.

The system automatically determines the authenticity of the file. If we take as an example a query with a hash sum QmXnnyufdzAWL5CqZ2RnSNgPbvCc1ALT73s6epPrRnZ1Xy, then when receiving the information it should remain the same. If the hash value differs, then the file has been changed. In other words, the hash-sum can be represented as a unique fingerprint:

IPFS Security
IPFS Security

Supporters of decentralization are also in a number of other companies. Mozilla employees believe that consumers should not be tied to a particular product, brand or platform. In early August 2018, developers published a version of the IoT gateway Things Gateway 0.5. In it, they realized the possibility of loading third-party icons and an interface for complex devices.