Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make telegram bot Webhook secret #10

Open
ohld opened this issue Mar 5, 2021 · 6 comments
Open

Make telegram bot Webhook secret #10

ohld opened this issue Mar 5, 2021 · 6 comments

Comments

@ohld
Copy link
Owner

ohld commented Mar 5, 2021

Right now everyone can POST event to TelegramBotWebhookView and fake Telegram events. This is a security issue so it is better to change Webhook url to contain secret value like TELEGRAM_TOKEN.

Current Webhook POST endpoint:

/super_secter_webhook

Let's change it to:

/telegram/webhook/<TELEGRAM_TOKEN>
@morzik45
Copy link

So the TELEGRAM_TOKEN can be more easily compromised, for example, in logs.

@ohld
Copy link
Owner Author

ohld commented Mar 26, 2021

hm, agreed. In this case I'd add a random string generation as a part of webhook endpoint.

@VeryBigSad
Copy link
Contributor

Can't we just:

  1. In settings, do WEBHOOK_URL = ''.join(random.choice(string.digits + string.ascii_letters) for _ in range(26))
  2. In tgbot/urls.py, set the webhook URL to WEBHOOK_URL
  3. Call telegram methods deleteWebhook() & setWebhook() every time we start up the bot?
    That way the logs are only valuable as long as we have our instance running. Might also implement changing the URL on-fly every, let's say, 24 hours, but that might be a bit over engineered.

@37dev
Copy link

37dev commented Aug 21, 2021

Hey guys, telegram will encrypt requests. the only way for this getting exposed is by server compromise and hacker having access to the tokens in logs. But if that happens, the attacker won't need the token anymore cause he has the whole server... Tokens over url are low severity

@morzik45
Copy link

morzik45 commented Aug 23, 2021
edited
Loading

With django often uses web+bot in one instance and if junior, for example, decides to fix something on prod and turn on DEBAG mode, then django will very colorfully provide all paths and tokens on page 404

@boatcoder
Copy link

Hey guys, telegram will encrypt requests. the only way for this getting exposed is by server compromise and hacker having access to the tokens in logs. But if that happens, the attacker won't need the token anymore cause he has the whole server... Tokens over url are low severity .

I disagree. If they have the token discovered from a 3rd party logging service or a poorly secured S3 bucket, they OWN your bot and can set the webhook URL to whatever they want it to be. I'm worried that Telegram might have poor log file control but I can't control what they use as the endpoint. I don't have to get your server to read your logs, I just need to get to where you store the log files......

The article you quote doesn't even agree with your premise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ohld @boatcoder @VeryBigSad @morzik45 @37dev