Telegram Tech Promised In ICO Vulnerable to Attack, Researchers Say

With $1.7 billion in the bank following its initial coin offering, Telegram has released its first crypto-friendly feature - but security researchers are skeptical.

While the company praised Telegram for publishing the application's API as open source, allowing the code to be checked by other experts, Virgil Security detailed two problems with the app: how it encrypts data and how it protects stored data.

Plus, disrupting the digital ID incumbents like Equifax, which keep data in centralized databases vulnerable to breach and abuse, has long been a shared goal of the cryptocurrency community, so it's is a fitting place for Telegram to start.

In its blog post about the new product, Telegram promises that "Your identity documents and personal data will be stored in the Telegram cloud using end-to-end encryption. It is encrypted with a password that only you know, so Telegram has no access to the data you store in your Telegram passport."

It goes on to promise that, eventually, this data will be stored in a decentralized fashion, Identity was one of the components of the ambitious blockchain-based system that Telegram promised in its ICO technical whitepaper.

From the looks of Virgil Security's findings, Telegram needs to go back to the drawing board.

In particular, Virgil Security focuses on the fact that Telegram uses SHA-512 to hash passwords.

Before an attacker could begin its attack, it would need to first breach Telegram itself, as Virgil acknowledges.

"To access the password hashes, the attack would have to be internal to Telegram. The ways that could happen are numerous - insider threat, spearphish, one rogue USB stick, etc," Virgil Security co-founder Dmitry Dain told CoinDesk.

With Virgil Security's critiques and the newness of the product, it should be relatively simple for Telegram to harden its security.