Messaging app Telegram has become the latest victim of cryptocurrency mining malware, as researchers at Kaspersky Lab have revealed a now-patched vulnerability that allowed hackers to exploit a flaw in the platform’s file transfer service.

Kaspersky said that the vulnerability, which was first exploited in March 2017 and discovered by researchers in October, was a “classic right-to-left override attack.”

Simply put, this attack exploited the portion of Telegram’s software that enabled the messenger to recognize Arabic and Hebrew, languages which are read right to left. The hackers were able to use this feature to reverse the order of characters in filenames, which allowed them to disguise suspicious file extensions as images or other seemingly non-threatening file types.

After users downloaded the files, embedded scripts would silently unleash a malware payload on the target operating system. One of the most prominent payloads was malware that harnessed the target computer’s processing power to mine cryptocurrencies for the attackers.

cryptocurrency mining malware
Source: Kaspersky

These miners were primarily developed for the Equihash and Cryptonight mining algorithms, which are employed by privacy-centric cryptocurrencies Zcash (ZEC) and Monero (XMR), respectively.

Although the vulnerability affected all Telegram users, Kaspersky said that it appears only Russian hackers exploited it, which is why the vast majority of victims were Russian residents.

These types of attacks have become quite common in recent months, particularly since the development of CoinHive, a mining script that can be implemented into the background of websites and used to harness the computing power of visitors.

As BlockExplorer reported, more than 4,200 websites hosted by government agencies in the US and UK have recently been compromised through the use of a tool called BrowseAloud and injected with CoinHive-based mining malware scripts.

Telegram denied that exploit was the result of a “real vulnerability,” arguing that users bore responsibility for choosing to download the files.

“This is not a real vulnerability on Telegram Desktop, no one can remotely take control of your computer or Telegram unless you open a (malicious) file,” Reuters cited the company as saying in a statement.

Nevertheless, the timing of the vulnerability’s disclosure is awkward for Telegram, as the company is reportedly preparing to launch a record-shattering initial coin offering (ICO) that could raise up to $2 billion.

Featured Image from MaxPixel

zk-starks

A team of researchers has released a white paper for zk-starks, a much-anticipated blockchain privacy technology that has been lauded as a way to achieve zcash-level privacy without the risk of using a trusted setup.

One of the chief criticisms of using public blockchains like bitcoin to store monetary value is that they are the equivalent of making everyone’s bank account records publicly-accessible. Though the data is technically pseudonymous, it is often quite simple for governments and other powerful actors to associate addresses with their owners.

The zk-starks white paper, published on Jan. 12 by a team of researchers led by Eli Ben-Sasson of the Technion-Israel Institute of Technology, represents the latest attempt to use zero-knowledge (ZK) proofs to rectify the need for a public ledger to validate the integrity of the blockchain with the importance of protecting user privacy.

The white paper states:

“Human dignity demands that personal information, like medical and forensic data, be hidden from the public. But veils of secrecy designed to preserve privacy may also be abused to cover up lies and deceit by parties entrusted with Data, unjustly harming citizens and eroding trust in central institutions.”

The gripe with current ZK implementations — the most notable of which is the zk-snark technology currently used by the zcash cryptocurrency — is that they require the creation of a “master key.” The team behind zcash went to elaborate lengths to ensure that this key was not compromised during the launch of the network and was destroyed after its deployment.

However, the problem with such a trusted setup is that there is no way to conclusively verify that the key was destroyed without being compromised by a potentially hostile actor, who could use it to print new units of currency at will. The stakes of this trusted setup only increase along with zcash’s market cap, creating what some would term untenable systemic risk if zcash ever approached mass adoption.

“Public trust demands transparency from ZK systems, meaning they be set up with no reliance on any trusted party, and have no trapdoors that could be exploited by powerful parties to bear false witness,” Ben-Sasson and his co-authors continue, adding that unfortunately “no ZK system realized thus far in code (including that used by crypto-currencies like Zcash™) has achieved both transparency and exponential verification speedup, simultaneously, for general computations.”

Zk-starks (short for a zero-knowledge system that is a scalable and transparent argument of knowledge), if realized, could introduce transparency into the equation while also retaining the blockchain’s scalability.

The white paper includes a proof-of-concept in which police investigators prove that an allegedly-corrupt presidential candidate’s DNA does not appear in the department’s forensic DNA database, without compromising the integrity or confidentiality of either the candidate’s DNA or the database.

However, as the paper notes, zk-snarks are “roughly 1000x shorter” than zk-stark proofs, so more research will be needed to mitigate this problem through shorter proofs or another solution.

Notably, researchers are also exploring ways to implement ZK proofs into Bitcoin. Stanford University’s Applied Cryptography Group, for instance, recently released a white paper for Bulletproofs, a ZK protocol that could be used to increase the privacy of bitcoin transactions without a trusted setup.

Featured Image from Pexels

The Barry Silbert-led investment firm Grayscale has submitted an official filing for the Zcash Investment Trust with the U.S. Securities and Exchange Commission (SEC).

As first uncovered by WhalePool, a prominent cryptocurrency trading group, Grayscale filed a “Notice of Exempt Offering of Securities” with the SEC earlier this week. The filing states the firm’s intent to sponsor a trust that will invest in Zcash, an anonymity-centric cryptocurrency that just celebrated its first birthday and currently holds the 16th spot in the market cap rankings with a total valuation of about $591 million.

The filing indicates that the trust already has nine investors who have contributed a combined total of more than $11.6 million, although the minimum investment threshold is much lower at $10,000. Initially, the trust will only be available to accredited investors.

Grayscale — a subsidiary of the Digital Currency Group — recently surpassed $1 billion in assets under management (AUM). Most of those assets are concentrated in the Bitcoin Investment Trust (OTC: GBTC), a publicly-listed security that is currently traded over-the-counter (OTC) and can be purchased through any brokerage account. Wall Street analyst and bitcoin bull Tom Lee recently called GBTC an “attractive” investment, predicting that it could triple in value over the course of the next five years.

Although many firms have filed to launch exchange-traded funds (ETFs) that either track the price of bitcoin or hold the asset directly, the SEC has yet to approve one. Consequently, GBTC remains the only U.S. exchange-listed vehicle that gives institutional investors exposure to crypto assets.

Grayscale has also sponsored the Ethereum Classic Trust, although, like the Zcash trust, this product is currently only available to accredited investors. Since launching in April of this year, the underlying assets represented by Ethereum Classic Trust shares have risen in value from $4.30 to $10.14 and the trust’s AUM has tripled to about $36 million.

The firm has not yet confirmed the news of the Zcash Investment Trust, but it did hint that it would announce “additional investment products” in a tweet posted two weeks ago.