Back to Home

About the intricacies of privacy in the Telegram Bots API: “this is not a bug, this is a feature”

Telegram · Bots API · bots · telegrams

About the intricacies of privacy in the Telegram Bots API: “this is not a bug, this is a feature”

    imageA week ago , the Bots API, a platform for creating bots, was launched in the Telegram messenger . The platform may be a little dank, slightly crutch, but nevertheless interesting - both for users and developers, who immediately rushed to write (and port) a variety of bots . But, as it turned out, the API has at least one feature that may seem rather unexpected (and even unpleasant) for end users.

    I must make a reservation right away: this note is not another attack on the security of the Telegram. Moreover, given the friendly relations with some of the messenger developers, I did not particularly want to write an article. But to warn those who plan to create and, most importantly, use the bots in Telegram, it seemed to me important. "Plato is my friend but the truth is dearer".

    First, briefly for ordinary users. If you send a photo to some bot in Telegram (assuming that the bot will then send this photo to another person), remember that the final recipient of the photo (if desired) can easily find out your name / photo / username(and will be able to contact you directly). Even if the bot involves privacy and anonymity. This interesting aspect is extremely unobvious even for the creators of the bots. And they (so far!) Can do nothing about it. Strictly speaking, this applies not only to photographs (but almost all types of attachments), but to see your profile in other cases is somewhat more difficult.

    This is also subject to the example given in the description of the new @HotOrBot platform . In this “Tinder analog”, you can easily peep the accounts of those whose photos you are asked to rate (and, in fact, write to them - even if they have not yet reciprocated).

    (as can be seen in the illustrations, it is enough to open the photo, for example, in the web version of the Telegram )

    In my created@TalkBot (it allows you to anonymously communicate in "rooms" in the spirit of IRC or one-on-one, acting as an intermediary) the same problem: do not send photos to the chat room if you do not want to be deanonymized. But my bot at least warns everyone about this.


    The technical background and why this problem cannot be solved without the participation of the Telegram. Now, with a file sent to the bot, the bot can do only one thing: take its ID ( file_id ) and send it to someone else (this is forward not the message itself, but only the attached picture / video / audio / document, in the documentationit just looks like a trick to save resources). Unfortunately, it is impossible to get the body of the file at the moment (obviously, this will be implemented in the near future, since the feature is archived). Otherwise, it would be possible not to use the same file_id, but to fill in the photo again (at least some kind of workaround would be). Now there is no other solution than to warn users (or limit functionality at all).

    Why is this not a bug in the platform? Formally, this behavior is more or less documented (the InputMediaPhoto vs InputMediaUploadedPhoto constructors , as well as the returned photo object) in the regular API, so it cannot be considered a bug. In general, bots are created by third parties - what privacy is there. Given the positioning of the Telegram as a messenger that focuses on privacy, it may be worthwhile for client applications to make it clear that all data sent to bots is completely open to bot authors (no matter how commonplace it sounds).

    Only registered users can participate in the survey. Please come in.

    What (and to whom) in this situation should be undertaken?

    • 58.7% Telegram should urgently fix this behavior, considering it as a vulnerability 295
    • 37% Telegram should notify users of threats associated with sending messages to bots 186
    • 40.8% Telegram should notify bot developers of "pitfalls" in its API 205
    • 37.8% Bot developers should notify users of risks when sending messages to bots 190
    • 18.7% Bot developers should limit the functionality that could mislead users 94
    • 46.6% Users should remain vigilant on their own and not send private information to bots 234

    Read Next