All right, so I've been intending to use Telethon to automate several things on telegram with Python, but I'm not sure I understand the gist of it.
First of all, you need an api_id and an api_hash. To do so, you go to my.telegram and go to API development tools. There you are sent a code to your telegram android phone and after submitting, you receive an unique id/hash. First question, is this code you are sent in order to generate an app necessary any more?
Now in python, you can start a client as follows.
from telethon import TelegramClient
api_id=12345
api_hash='abcdef12345ghij'
client=TelegramClient('name of the session',api_id,api_hash)
You can try to connect the client, but it can lead to it not being authorized or the phone not being signed up, so you can use start, which will decide between sign in, or sign up.
Among the parameters you can set in start, there is force_sms (bool, optional) to force telegram to share the code needed to register and log in by sms.
My question here are, if the phone is not signed up, what other means could have telegram used? I mean, they can't send it to the mobile app as that phone doesn't have one.
If a phone not being signed up is a possibility, does this mean the phone with which you got your id/hash is is not necessarily the same with which you create the client?
As this method has a callback, you can input the code sent to your phone and connect to telegram.
Another way to connect a client is using StringSession. I found this piece of code:
from telethon.sync import TelegramClient
from telethon.sessions import StringSession
# Generating a new one
with TelegramClient(StringSession(), api_id, api_hash) as client:
print(client.session.save())
# Converting SQLite (or any) to StringSession
with TelegramClient(name, api_id, api_hash) as client:
print(StringSession.save(client.session))
# Usage
string = '1aaNk8EX-YRfwoRsebUkugFvht6DUPi_Q25UOCzOAqzc...'
with TelegramClient(StringSession(string), api_id, api_hash) as client:
client.loop.run_until_complete(client.send_message('me', 'Hi'))
This bring several questions on its own. According to the docs, this is a way to storing in a string the credentials needed to login, including the authorization key and the phone.
How is this obtaining the authorization key? In the other method, it was sent to your phone for you to input, but here? How can you specify the phone to which you want to connect? Is this a method you can only, or you should only use after the phone has been given access?
In code, is this a possibility?
#Obtain an api_id, api_hash from phone 777777777
from telethon import TelegramClient
from telethon.sessions import StringSession
api_id=12345
api_hash='abcdef12345ghij'
client=TelegramClient('name of the session',api_id,api_hash)
client.start(phone='5555555',force_sms=True,code_callback=True,first_name='John',last_name='Doe')
#Asked to input the code sent to the phone 555555 by sms. Is this code the authentication key?
string = StringSession.save(client.session) #Now I can connect whenever I want using string session.
Two last questions
Can you have more than one session for the same number, even if they don't try to connect at the same time? Like for example, with different api/hash starting the same phone at different times, or as the first session is stored within telegram, creating the second severes the link to telegram of the first?
Can you skip in any way the verification code using for signing up?
Kind regards
is this code you are sent in order to generate an app necessary any more?
Yes, like with many online services offering an API, you register your developer account and get a token (in Telegram's case, api_id and api_hash combination) that can be used to access the API (at all or with less limitations).
It might seem a bit confusing that your application is bound to your user account, however this doesn't mean it can only be used in your account. You, the developer, create an application, and any other user (or even bot) can run your application using your api_id and api_hash.
As an example, when you use Telegram for Android or Telegram Desktop, you are running the application they developed, and are logging in using the api_id and api_hash of the respective developers, not your own.
if the phone is not signed up, what other means could have telegram used?
Telegram may send a SMS to the phone number or perform a phone call. You can use https://tl.telethon.dev to find that send code returns, at the time of writing, a SentCode. This comes with a SentCodeType which currently can indicate: sent via app, call, flash call, or SMS.
does this mean the phone with which you got your id/hash is is not necessarily the same with which you create the client?
As explained above, the api_id and api_hash is for the developer of the application, not the users that will login to your application. When you get started, this person is often the same (you, the developer), but when you publish your application, anyone can sign in without needing to provide their api_id and api_hash. Of course, you would need to keep those secret to try to minimize people from using your key in their applications, although this is not really doable.
How is this obtaining the authorization key?
StringSession embeds the authorization key that was generated to be used for encryption inside the string itself. Next time you use the client, all you need is this key, as Telegram already knows who you are with it, because you signed in before.
How can you specify the phone to which you want to connect?
There is no need. Telegram remembers the account that logged in with a certain authorization key. In official clients, you may see which devices are logged in and terminate their sessions (invalidating their authorization key) to log them out.
Is this a method you can only, or you should only use after the phone has been given access?
You can use StringSession to login, too, and just print it and reuse it later. In this case, the StringSession would begin empty, Telethon would generate an authorization key, you would login, and saving the session would produce something that can be reused.
Can you have more than one session for the same number, even if they don't try to connect at the same time?
Yes, this is what happens when you use, for example, Telegram for Android and Telegram Desktop. Adding a third with Telethon is not different.
Can you skip in any way the verification code using for signing up?
No, because Telegram needs to validate the phone exists and is in use.
Related
I'm about to host a competition where you register via a bot in discord.
And I want to prevent users from submitting and then logging out and in again with a different account and submitting again. And doing that maybe 20 times to get a bigger chance to win.
If there is some way to detect that they are using the same device and make the following submissions invalid?
If not, if someone has a smart idea to prevent multiple submissions?
Discord.js does not have a way to track an specific device yet.
Something clever you could do, is to make the bot give your users a link to make them register via a website that stores a cookie to tell whether you have signed up already or not. You can also use Discord's OAuth2 to get the information from your signed up users to your database.
I am developing a chat app and in frontend i am using reactjs
for reactjs, i am using this library: https://www.npmjs.com/package/pubnub-react
I see here, the subcribe and publish key is exposed in frontend, My question is, it it secure to add such key in frontend?
here you go for sample code:
const pubnub = new PubNub({
publishKey: 'myPublishKey',
subscribeKey: 'mySubscribeKey',
uuid: 'myUniqueUUID'
});
PubNub Access Manager
Quote from Stephen Blum (founder and CTO of Pubnub) from an answer to a duplicate question:
This is the same problem with Facebook. I can open your FB page and copy your auth_key from the network tab and gain access to your Facebook page. You must treat your PubNub auth_key the same as you would a secret intended only for the user. This is like a Session Key/ID that allows access to a data stream, similar to the way Netflix, Spotify, Facebook and Gmail provide a secure access layer.
To summarize, you cannot hide the PN keys but you can secure them by enabling and implementing PubNub Access Manager.
Read the docs from the link above, but this question has also been answered a couple of times before on Stack Overflow. The code samples there are older but the concept is the same:
Secure Pubnub subscriber key and channel name
how to hide pubnub keys when using JS
Also, always pass the pub/sub keys back to the client app from your server (along with the auth-key and the UUID) rather than hardcoding them into the client code. This allows you to swap the keys if you ever need to do so. It's rare but can be super-useful if you ever need to.
I have a couple of questions about the OneSignal notification service. I have been reading the documentation and there are couple of things that bother me security-wise or I'm missing something.
As I understand the process Javascript client uses the Web Push SDK to communicate with the OneSignal API. To instantiate the communication it needs appId parameter, which is available to client.
After that the client can call getExternalId, getEmail, getTags methods to potentially gather user sensitive data. Once in possession of that data on some other device methods setExternalId and setTags can be called with gathered data to impersonate other user and receive notifications directed to them (at least those that get routed using the set parameters).
Does OneSignal presume that device (endpoint) is not compromised?
OneSignal doesnt see setExternalId misuse as a security concern, as notifications shouldn't include sensitive information, as stated in their webpush SDK github.
Only recommendations they do about external_id are its uniqueness, and complexity.
Clients can only call getTags, getEmail, getExternalId, and other methods if they know the subscriber's OneSignal player_id. Since the player_id is only known by the client, it is not possible to impersonate the user or to get this data.
Even so, OneSignal recommends against storing sensitive data in tags or other fields.
I am building an application in NodeJS + Express where teams can share information with one and other and chat (kind of like an internal messaging forum).
Sometimes there is a need for the team's clients to view and edit some of this stored information on a case by case basis (e.g. a client asks a question and wants to message back and forth with the team, using my app). I don't want the client to have to sign up for an account in this case.
I am thus wondering what is the most secure strategy for generating a URL where anyone with the URL can view and edit a document/POST data to my app within the confines of a single document, without signing in?
(I've seen a couple of posts on this topic but they're quite old and don't focus on this specific case.)
First of all, I can absolutely understand the benefits, but still it is not an optimal idea. However, I would like to summarize some thoughts and recommendations that will help you with the development:
A link like this should not be able to perform critical actions or read highly sensitive data.
Access should be unique and short-lived. For example, the customer could enter his e-mail address or mobile phone number and receive an access code.
If you generate random URLs, they should be generated in a secure random manner (e.g. uuid provides a way to create cryptographically-strong random values).
If I had to design this I would provide as little functionality as possible. Also, the administrator would have to enter a trusted email address and/or mobile phone number when releasing the document. The URL with a UUIDv4 is then sent to this channel and when the customer clicks on the link, he gets a short-lived access code on a separate channel if possible (on the same channel if only one was configured). This way you prevent the danger of an unauthorized person accessing the document in case a customer forwards the original URL out of stupidity.
I need to create a small mobile application that will encrypt the user selected sms to make it unreadable.after words user should be able to decrypt it only by entering proper key.we need to use J2me.Can anybody tell me how to start with it?
It is possible encrypt outgoing messages or receive an incoming encrypted sms using WMA API, however you should consider the following cases
Your application can receive the sms send to the designated ports
The Server/Aggregator that sends the sms should send the message in an encrypted format for which the client knows the key to decrypt.
Some phones might require signing of the build
However if you want to provide an interface to read the SMS that is in phone's default inbox, then it is either impossible or difficult to implement
I am not sure that most phones would allow you access to the users SMS. That would be a gross breach of privacy and the nightmares involved with it.
Although I have never used Java, I am sure it cant be that hard to encrypt and decrypt a string. A simple Google search would offer some ways.
Then you would just need to provide a simple service to send short snippits of text between users. Im sure it wouldnt be that hard
Do you want to send encrypted messages or encrypt incoming ones? If the latter, this is pointless, because you can insert SIM card to another phone and there will be no security at all. Also, despite some devices J2ME can access received SMS messages, it won't allow you to modify it. If the first option (sending), you still have to fit encrypted message in 160 characters and it won't be possible on some devices.
I get this WMkits SMS Encryption. It is a text messages encryption software for Windows Mobile phones. It can encrypt and hide the SMS messages (including existing SMS messages and future incoming/outgoing SMS messages) on windows mobile device.