Unusual use bot for Telegram and a security check Telegram


Some time ago I told about your project don't call!, where when you add your phone number to the registry you must confirm that is your number.

Standard methods of confirmation — SMS or call pretty good, but not free. Have used us SMS.ru for example, one SMS costs 1.5 ruble ("SMS for 25 cents," said they on the main is a lie, such a rate is not).

What are free ways of confirming numbers? I came up with the following:

    the
  1. ask the user to send us SMS with your number. Find free Russian number who would accept SMS and send them via email failed (previously, this option was Zadarma). The use of non-Russian numbers — would deter users. An alternative solution — personal number, android app and type SMS Gateway — does not inspire confidence in terms of reliability and throughput.
    2. the
  2. ask the user to call us with your number. Even more difficult to implement option.
    3. the
  3. Check via Telegram.

The last option seemed interesting. How does it work? The bot asks the user to choose the site for authentication, and then requests the phone number of the user. If the user your phone number is reported, then the bot confirms the phone number at the selected site.

In Telegram Bot API, you can request user phone number:

the 
>>> contact_keyboard = telegram.Keyboardbutton to(text="send_contact", request_contact=True)
>>> custom_keyboard = [[ contact_keyboard ]]
>>> reply_markup = telegram.ReplyKeyboardMarkup(custom_keyboard)
>>> bot.send_Message(chat_id=chat_id, 
... text="Would you mind sharing your contact with me?", 
... reply_markup=reply_markup)

If the user agrees to pay the bot with your phone number, then the bot receives the following:

the 
{
"update_id": 912872664,
"message": {
"message_id": 57,
"from": {
"id": 777777,
"first_name": "Ne Dimon",
"last_name": "On vam",
"username": "onvamnedimon"
},
"chat": {
"id": 777777,
"first_name": "Ne Dimon",
"last_name": "On vam",
"username": "onvamnedimon",
"type": "private"
},
"date": 1492274787,
"contact": {
"phone_number": "79160000001",
"first_name": "Ne Dimon",
"last_name": "On vam",
"user_id": 777777
}
}
}

If a user can not send your phone number? Can. The user instead so the bot can send any other contact from your phonebook. But contact/user_id in this case will not be equal to from,/id, and the bot finds out that he sent someone else's contact.

I was interested in the question, is it possible using a modified client Telegram to send someone else's phone number with his id. @BotSupport Telegram claims that it can be done (maybe have check on the server). But they (especially Russian-language support) is not particularly trust, suggest a challenge — to confirm the number (916) 000-00-01 on our website (checked on this number "caller not available", I think it doesn't exist). To do this, go to bot link and request number to send to it the number of (916) 000-00-01 with your id.
Ongoing Bug Bounty programme at the Telegram, as I understand it, does not exist, because the one who will do it, nothing will receive. Although, you can some information about someone to obtain, for example, in the bot Bank ;).
Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

The use of Lisp in production

Изображение
Grammarly the heart of our business — Central language features — written in Common Lisp. Now the engine handles more than a thousand sentences per second, massturbate horizontally and reliably serves us in production for almost 3 years. We have noticed that there are almost no posts about the deployment of Lisp software in a modern cloud infrastructure, so we decided to share our experiences is a good idea. Runtime and programming environment of Lisp provides several unique, a bit unusual, capabilities to support production systems (for the impatient — they are described in the last part). Wut Lisp?!! Contrary to popular opinion, Lisp is incredibly practical for production systems. Just put, around us, many Lisp systems: when you are looking for air ticket on Hipmunk or riding the subway in London, used a Lisp program. Our Lisp-conceptual services represent a classic AI app that operates on a huge pile of knowledge created by linguists and researchers. Its main us...
Далее...

FreeBSD + PostgreSQL: tuning the database server

Hello, Charcoaldust! Probably, my article will be of no interest hardened sysadmin and copy-paste seem. But I'm addressing it to those who, like me, being the only developer for the first time faced with the need also to administrate the server, thus solving the problem of highly loaded database. And to Google you are not cursed, try to gather in one place the basic techniques for acceleration of the database server, which I have successfully managed to implement. The input data my problem is the following: dual processor (Intel Xeon) machine, 8 hard drives at 500GB and 12Gb of RAM. And complete, including physical, access to this good. Task: to arrange a fast database server based on FreeBSD and PostgreSQL. 1. RAID The correct partitioning of the available hard drives on raids we need to be PostgreSQL, as tablespacing (more on this below). Your 8 hard I broke into pairs and organized in this way: two pairs unite in RAID1 and two pairs in RAID0 (actually, for our...
Далее...

As we did a free Noodle for iOS and how we plan to earn

Изображение
Since the beginning of this year we with friends make known multiplayer word game for iOS – Balda Online . For those who have not played the Noodle: the game is played on a field of 5x5. There is a start word of 5 letters. Players in turn add one letter, until the end of the cell. The course is given 2 minutes. The longer the words the more points. In the game important qualities such as erudition, quickness of mind, memory, composure and calculation. We have set ourselves the task to make the world's best Noodle and strive to achieve this goal, constantly introducing new and new features. The interest in the game is big enough: Baldev is playing Online 12 thousand people every day (up to 1000 players simultaneously at peak time), daily spending more than 25 thousand games. We are confident that we will be able to increase these figures significantly. By the way, information about the current number of players is displayed right on the main page. Download game to s...
Далее...