Telegram Bots, Keys and Pockets

Telegram Bots, Keys and Pockets

Markus Ra

We just got alerted to a new instance of the old "if I had your keys, I could get into your home" story.

A company called Forcepoint found some poorly written malware that utilized a Telegram bot. The author of the malware left his Bot API key in the open, which allowed Forcepoint to pick up the keys to his "home" and access his bot's messages.

If I could break HTTPS...

The company published a post where they mentioned that it is "trivial for an adversary performing MiTM on the target’s HTTPS connection to obtain the bot API key." While this is true, it translates to:

HTTPS (TLS) is the industry standard that is used not only by the bot platforms of Telegram, Slack, Discord, Kik and Messenger, but also by your bank and gadzillions of other services. That's a lotta pockets.

(To be clear: Forcepoint didn't break HTTPS, they just found one bot key lying in the open.)

What you get for "breaking HTTPS"

By default, Telegram bots only get the messages specifically meant for them. That is, messages which have a /command for the bot, @mention the bot by its username or reply to one of its messages.

So if you broke HTTPS, you could go hunting for a bot's token in hope to recover something useful from the messages it gets. In most cases, you would only get a list of /commands for the bot to do something.

Instead, our advice for anyone who breaks HTTPS would be to head over to the nearest bank and transfer a few billion dollars into their private account. This would make breaking HTTPS a lot more fun and profitable.