Habr User Found Out How to Hack Telegram Passport

The vulnerability allows to steal users' personal data
01 August 2018   554

The user of Habr, one of the largest Russian-speaking IT media, under the nick Scratch was able to find out a vunerability in Telegram Passport, an ID service from the developers of popular messanger. The vulnerability allows to steal users' personal data. It is caused by the encrypting algorithms, which are used by the solution.This is reported by Security Lab.

As reported, in fact, the encryption in Telegram Passport is not end-to-end in the usual sense, but a specially developed algorithm. Encrypted personal data and an almost random cryptographic key, as well as a hash from personal data, mixed with random bytes, are transmitted to the cloud storage. Scratch says that this information is enough to conduct a successful brute-force attack and to steal personal data of users of the service.

This is by no means a "random noise", it has everything necessary, including an encryption key protected by password. And it allows you to get to user data much, much faster than sorting out all possible combinations of AES keys (2 ^ 256). Also, such mechanisms invented by the authors of Telegram as a validation of the key with the help of the sum of bytes, the involvement of the data itself in the formation of the key of their own encryption and the data hash instead of HMAC are also highly questioned.
 

Scratch

User, Habr

The developer described in detail all the algorithms that the service uses to provide encryption, and also described an approximate plan for using bruteforce attack to hack the service. In addition, he cited several services that use "real" end-to-end encryption. Among them - the messengers Signal and Whatsapp.

In addition, the security expert noted that the speed of hacking depends on the length of the user's password. For protection, he proposed to come up with a complex password longer than 8 characters, which, in his opinion, uses a very small number of users.

The tool for fast authentication and storage of user data Telegram Passport officially came out on July 26, 2018. It has already been criticized for security policy by Anton Rosenberg, the former colleague of the creator of the Telegram, Pavel Durov.

Porteus Kiosk 4.8.0 to be Available

Porteus Kiosk is OS designed for stand-alone kiosks, self-service terminals and display booth 
22 January 2019   89

The release of the Porteus Kiosk 4.8.0 distribution kit, based on Gentoo, is designed to equip stand-alone internet kiosks, display booths and self-service terminals. The boot image of the distribution is 93 MB.

The basic build includes only the minimum set of components required to launch a web browser (Firefox and Chrome are supported), which is reduced in its capabilities to prevent unwanted activity in the system (for example, setting changes are not allowed, application download / install is blocked, access to selected pages). Additionally, specialized Cloud assemblies are offered for comfortable work with web applications (Google Apps, Jolicloud, OwnCloud, Dropbox) and ThinClient for working as a thin client (Citrix, RDP, NX, VNC and SSH) and Server for managing a network of kiosks.

Setup is done through a special wizard, which is combined with the installer and allows you to prepare a customized version of the distribution for placement on a USB Flash or hard drive. For example, you can set a default page, define a white list of allowed sites, set a password for the guest login, define an inactivity timeout to end a session, change the background image, adjust the browser design, add additional plug-ins, enable wireless network support, configure keyboard layout switching and more. 

When loading, verification of system components by checksums is performed, and the system image is mounted in read-only mode. Updates are installed automatically using the mechanism of formation and atomic replacement of the system image as a whole. It is possible to centrally configure a group of typical Internet kiosks remotely with configuration loading over the network. Due to the small size, the default distribution is loaded entirely into RAM, which allows to significantly increase the speed of work.