Habr User Found Out How to Hack Telegram Passport

The vulnerability allows to steal users' personal data
01 August 2018   130

The user of Habr, one of the largest Russian-speaking IT media, under the nick Scratch was able to find out a vunerability in Telegram Passport, an ID service from the developers of popular messanger. The vulnerability allows to steal users' personal data. It is caused by the encrypting algorithms, which are used by the solution.This is reported by Security Lab.

As reported, in fact, the encryption in Telegram Passport is not end-to-end in the usual sense, but a specially developed algorithm. Encrypted personal data and an almost random cryptographic key, as well as a hash from personal data, mixed with random bytes, are transmitted to the cloud storage. Scratch says that this information is enough to conduct a successful brute-force attack and to steal personal data of users of the service.

This is by no means a "random noise", it has everything necessary, including an encryption key protected by password. And it allows you to get to user data much, much faster than sorting out all possible combinations of AES keys (2 ^ 256). Also, such mechanisms invented by the authors of Telegram as a validation of the key with the help of the sum of bytes, the involvement of the data itself in the formation of the key of their own encryption and the data hash instead of HMAC are also highly questioned.


User, Habr

The developer described in detail all the algorithms that the service uses to provide encryption, and also described an approximate plan for using bruteforce attack to hack the service. In addition, he cited several services that use "real" end-to-end encryption. Among them - the messengers Signal and Whatsapp.

In addition, the security expert noted that the speed of hacking depends on the length of the user's password. For protection, he proposed to come up with a complex password longer than 8 characters, which, in his opinion, uses a very small number of users.

The tool for fast authentication and storage of user data Telegram Passport officially came out on July 26, 2018. It has already been criticized for security policy by Anton Rosenberg, the former colleague of the creator of the Telegram, Pavel Durov.

Nvidia to Open MDL SDK Source Code

As reported, this set of tools integrates the precise look and feel of real-world materials into rendering applications
15 August 2018   111

NVIDIA opened the source code of the Material Definition Language SDK. This tool kit is designed for transferring material parameters to any application for drawing 3D graphics. The tools will allow developers to use more applications for rendering and transfer projects to the Android and iOS platforms.

As an example, the company introduced fabric materials created in Allegorithmic Substance Designer. They can be saved in the library and quickly transferred to the Adobe Dimension CC application. The tools were also introduced into Unreal Studio 4.20 from Epic Games, designed to import 3D models into the Unreal Engine.

Being able to use a single material definition, like NVIDIA’s MDL, across multiple applications and render engines is a huge benefit to the end-user. Now that we’ve added MDL support to Unreal Studio, our enterprise customers can see their material representations converted to real time in Unreal Engine without baking every parameter. This means their creative intent can be carried to new forms of expression.

Ken Pimentel

Senior product manager of the Enterprise team, Epic Games

The tool kit also contains components for loading, checking and editing material parameters and converting them into PTX and LLVM-IR formats. Get more info at GitHub