ton-space-weaknes-poc.py

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes


key = open('key.bin', 'rb').read()
iv = open('iv.bin', 'rb').read()
shard1 = open('shard1.bin', 'rb').read()
ciphertext = shard1
# Initialize AES-GCM cipher
cipher = Cipher(
    algorithms.AES(key),
    modes.GCM(iv),
    backend=default_backend()
)

# Decrypt without authentication tag
decryptor = cipher.decryptor()
plaintext = decryptor.update(ciphertext)

print(plaintext)

Hi 😊, wanna know how @wallet store your mnenonics?

1. They encrypt mnemonics using AES-GCM-256 and split to two shards.
2. First shard (83 bytes), private key (32 bytes) and IV (12 bytes) stores in wallet backend server
3. Second shard (83 bytes) stores in TG Cloud using window.Telegram.WebApp.CloudStorage
4. As they used GCM, last bytes are part of mnemonics + AEAD (authentication tag)
5. As they store much part of cipher text on the backend side with a private key, they can decrypt part of mnemonics
6. Using a very simple script you are able to decrypt 14 words (of 24), it's enough to make a simpler brute force attack on an user target mnemonic

What todo:

• wallet side: split encryption key to two parts using shamir shared secrecy
• tg side: implement per-user encrypted storage with custom (manually enter) or with transferable between devices encryption key

10 words are still enough to protect from simple and fast brute-force attacks because of ton key derivation hardness.
I suggest not to store much liquidity using TON Space or @wallet until they fix cryptography issues.
Just keep in touch that your key should never left your own device. Don't store big liquidity in cloud/cex/etc.
Your keys — your money.