Phone numbers are exposed in the userbot tokens

Question

Phone numbers are exposed in the userbot tokens

luckydonald opened this issue 3 years ago · 6 comments

First of all it does it differently from the bots, where the id of the bot is everything in front of the colon :.

Additionally it exposes the phone number at several places which is not needed, or even a security concern.

One example is the stats page, where it now incorrectly gets listed as id of the account.
Additionally it is included in every request where probably the anonymous user id would be a perfectly fine replacement.

andrew-ld commented 3 years ago

close?

Answer 1 · 2021-01-23T17:47:30.000Z

@andrew-ld the underlying issue of exposing the phone numbers for tokens isn't solved.

(a) Maybe recreating the bot once the auth has worked could be a way to make that at least temporary until you're properly logged in.
(b) A different way would to spinning up a separate client instance to resolve the user id first, and only then add the bot to the usual list of running bots.
I outlined that a bit here: https://t.me/TDLightChat/3050 and the messages after that.

So apparently all we really would need is a dc_id, and a matching auth_key.
(...)
In my own Bot API implementation I would simply spawn a client with that dc_id and auth_key (and the dc's ip and port to not need to do that annoying lookup), to see if I have all the data needed to log in and if not, ask for more info.
https://github.com/luckydonald/telegram_bot_api_server/blob/master/telegram_bot_api_server/main.py#L184

it was done that way because it was not trivial to change the token after the session is being created

At least not with the normal bot instances which also do all of the update handling.

Answer 2 · 2021-02-02T12:13:56.000Z

I suggest generating a random number 2^32 > n >= 2^31 (so it's not a valid tg id) and using that as the id part of the token, and then putting the phone number in the bot token. To ensure there is no confusion, the first of the 2 version bytes can be set to a magic number for tdlight.

Answer 3 · 2021-02-03T12:51:18.000Z

@penn5 That would be a good compromise.

Answer 4 · 2021-02-03T12:57:25.000Z

@spontanurlaub Thoughts?

Answer 5 · 2021-02-03T13:05:46.000Z

I first tried to create a token with the user_id after the login, but I couldnt get it to work "moving" the tdlib instance to a new token after it was created. We could of course use a random number in the id part, but I actually like the phone number there cause I have to work with a bunch of tokens and without it it is hard to tell which token belongs to which account without calling getMe.

The token should be kept secret anyway, so having the phone number there is not a problem. Apart from the stats page (what is fixed now) I'm not aware of any place where the bot token or a part of it are displayed.