Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Make telegram bot Webhook secret

See original GitHub issue

Right now everyone can POST event to TelegramBotWebhookView and fake Telegram events. This is a security issue so it is better to change Webhook url to contain secret value like TELEGRAM_TOKEN.

Current Webhook POST endpoint:

/super_secter_webhook

Let’s change it to:

/telegram/webhook/<TELEGRAM_TOKEN>

Issue Analytics

State:
Created 3 years ago
Comments:6 (2 by maintainers)

Top GitHub Comments

1reaction

morzik45commented, Mar 25, 2021

So the TELEGRAM_TOKEN can be more easily compromised, for example, in logs.

0reactions

boatcodercommented, Apr 27, 2022

Hey guys, telegram will encrypt requests. the only way for this getting exposed is by server compromise and hacker having access to the tokens in logs. But if that happens, the attacker won’t need the token anymore cause he has the whole server… Tokens over url are low severity .

I disagree. If they have the token discovered from a 3rd party logging service or a poorly secured S3 bucket, they OWN your bot and can set the webhook URL to whatever they want it to be. I’m worried that Telegram might have poor log file control but I can’t control what they use as the endpoint. I don’t have to get your server to read your logs, I just need to get to where you store the log files…

The article you quote doesn’t even agree with your premise.