Private user data stored in the Telegram service Passport, can be obtained by a simple brute force password just a few days with minimal cost. This drew the attention of the company Virgil cryptographic Security.
The fact that the hash (encryption) of the password the service uses SHA-512. It is vulnerable to brute force or brute force: simply a powerful graphics processor capable of inspecting up to 1.5 billion hashes per second. Thus, brute force 8-character password from a 94-character alphabet has gone 4.7 days and $ 135 on electricity prices in the United States. And given the often frivolous approach people to create passwords, this amount may be reduced to $ 5.
But not all so simple: for the attack to begin, you will need to access the password hashes. A variety of methods, including phishing via emails, malicious USB stick, etc.
In the same way it was stolen 58 million passwords in the services of LivingSocial and LinkedIn. A sufficient level of security could be achieved using the final encryption that prevents access to cryptographic keys with third parties. However, the developers of Telegram have decided to ignore this.
The Telegram service Passport allows you to download in messenger scans of passports, other documents, account numbers and other sensitive information. Other applications may request certain information about the user, each time asking permission.