Vulnerability Discovered in Telegram Passport Service

A vulnerability has been found in the recently launched Telegram Passport service for storing documents. A user of the Habr portal, known as Scratch, discovered a method to steal user data from Telegram Passport, which is designed for document storage and instant authentication.

How the Vulnerability Works

According to Scratch, the service sends encrypted user data, cryptographic keys, and a hash of personal data mixed with random bytes to the cloud. He claims that this information is enough to hack the service and steal user data using a brute-force attack.

“This is far from ‘random noise’—everything needed is here, including the encryption key protected by a password. This allows access to user data much, much faster than trying all possible AES key combinations (2²⁵⁶). There are also serious doubts about Telegram’s custom mechanisms, such as checking the key’s validity using a byte sum, involving the data itself in forming its own encryption key, and using a data hash instead of HMAC,” the expert noted.

Protection Recommendations

Scratch suggested that one possible way to protect against attackers is to use complex passwords longer than eight characters. However, the number of users who use such protection is relatively small.

About Telegram Passport

Previously, the Telegram messenger team announced the launch of the new cloud service Telegram Passport, which allows users to upload documents and verify their identity on platforms that require client identification. This new feature lets users upload their personal data—such as photos, scanned documents, and bank account information—once, and then use it on websites that require identity verification.