django-telegram-bot icon indicating copy to clipboard operation
django-telegram-bot copied to clipboard

Published 20 hours ago verified publisher icon ohld

Make telegram bot Webhook secret

Open ohld opened this issue 3 years ago • 6 comments

Right now everyone can POST event to TelegramBotWebhookView and fake Telegram events. This is a security issue so it is better to change Webhook url to contain secret value like TELEGRAM_TOKEN.

Current Webhook POST endpoint:

/super_secter_webhook

Let's change it to:

/telegram/webhook/<TELEGRAM_TOKEN>

ohld avatar Mar 05 '21 12:03 ohld

So the TELEGRAM_TOKEN can be more easily compromised, for example, in logs.

morzik45 avatar Mar 25 '21 17:03 morzik45

hm, agreed. In this case I'd add a random string generation as a part of webhook endpoint.

ohld avatar Mar 26 '21 14:03 ohld

Can't we just:

  1. In settings, do WEBHOOK_URL = ''.join(random.choice(string.digits + string.ascii_letters) for _ in range(26))
  2. In tgbot/urls.py, set the webhook URL to WEBHOOK_URL
  3. Call telegram methods deleteWebhook() & setWebhook() every time we start up the bot? That way the logs are only valuable as long as we have our instance running. Might also implement changing the URL on-fly every, let's say, 24 hours, but that might be a bit over engineered.

VeryBigSad avatar Jul 01 '21 12:07 VeryBigSad

Hey guys, telegram will encrypt requests. the only way for this getting exposed is by server compromise and hacker having access to the tokens in logs. But if that happens, the attacker won't need the token anymore cause he has the whole server... Tokens over url are low severity

37dev avatar Aug 21 '21 22:08 37dev

With django often uses web+bot in one instance and if junior, for example, decides to fix something on prod and turn on DEBAG mode, then django will very colorfully provide all paths and tokens on page 404

morzik45 avatar Aug 23 '21 03:08 morzik45

Hey guys, telegram will encrypt requests. the only way for this getting exposed is by server compromise and hacker having access to the tokens in logs. But if that happens, the attacker won't need the token anymore cause he has the whole server... Tokens over url are low severity .

I disagree. If they have the token discovered from a 3rd party logging service or a poorly secured S3 bucket, they OWN your bot and can set the webhook URL to whatever they want it to be. I'm worried that Telegram might have poor log file control but I can't control what they use as the endpoint. I don't have to get your server to read your logs, I just need to get to where you store the log files......

The article you quote doesn't even agree with your premise.

boatcoder avatar Apr 27 '22 16:04 boatcoder