Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Phone numbers are exposed in the userbot tokens #48

Open
luckydonald opened this issue Jan 17, 2021 · 6 comments
Open

Phone numbers are exposed in the userbot tokens #48

luckydonald opened this issue Jan 17, 2021 · 6 comments
Labels
bug Something isn't working

Comments

@luckydonald
Copy link
Collaborator

First of all it does it differently from the bots, where the id of the bot is everything in front of the colon :.

Additionally it exposes the phone number at several places which is not needed, or even a security concern.

One example is the stats page, where it now incorrectly gets listed as id of the account.
Additionally it is included in every request where probably the anonymous user id would be a perfectly fine replacement.

luckydonald added a commit to luckydonald-forks/tdlight-telegram-bot-api that referenced this issue Jan 17, 2021
luckydonald added a commit to luckydonald-forks/tdlight-telegram-bot-api that referenced this issue Jan 17, 2021
@andrew-ld
Copy link
Member

close?

@MarcoBuster MarcoBuster added the bug Something isn't working label Jan 23, 2021
@luckydonald
Copy link
Collaborator Author

luckydonald commented Jan 23, 2021

@andrew-ld the underlying issue of exposing the phone numbers for tokens isn't solved.

  • (a) Maybe recreating the bot once the auth has worked could be a way to make that at least temporary until you're properly logged in.

  • (b) A different way would to spinning up a separate client instance to resolve the user id first, and only then add the bot to the usual list of running bots.
    I outlined that a bit here: https://t.me/TDLightChat/3050 and the messages after that.

    So apparently all we really would need is a dc_id, and a matching auth_key.
    (...)
    In my own Bot API implementation I would simply spawn a client with that dc_id and auth_key (and the dc's ip and port to not need to do that annoying lookup), to see if I have all the data needed to log in and if not, ask for more info.
    https://github.com/luckydonald/telegram_bot_api_server/blob/master/telegram_bot_api_server/main.py#L184

    it was done that way because it was not trivial to change the token after the session is being created

    At least not with the normal bot instances which also do all of the update handling.

@penn5
Copy link

penn5 commented Feb 2, 2021

I suggest generating a random number 2^32 > n >= 2^31 (so it's not a valid tg id) and using that as the id part of the token, and then putting the phone number in the bot token. To ensure there is no confusion, the first of the 2 version bytes can be set to a magic number for tdlight.

@luckydonald
Copy link
Collaborator Author

@penn5 That would be a good compromise.

@luckydonald
Copy link
Collaborator Author

@spontanurlaub Thoughts?

@spontanurlaub
Copy link
Collaborator

I first tried to create a token with the user_id after the login, but I couldnt get it to work "moving" the tdlib instance to a new token after it was created. We could of course use a random number in the id part, but I actually like the phone number there cause I have to work with a bunch of tokens and without it it is hard to tell which token belongs to which account without calling getMe.

The token should be kept secret anyway, so having the phone number there is not a problem. Apart from the stats page (what is fixed now) I'm not aware of any place where the bot token or a part of it are displayed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

5 participants