Telegram Bot Vulnerability

Gecko_Moriah · March 22, 2016, 10:22pm

Programmable IM (instant messaging) is the killer feature that’s going to make telegram overtake whatsapp. The bots are going to take over, i was surprised to see the likes of kenyapower, zuku and even ktalk launching their official bots, i took some interest in the bots and studied them for a while;If not implemented properly these bots could expose a weakness in the system.
Take for instance zuku’s bot, it allows one to enter their account id and query some details, i took the liberty of visiting zuku’s twitter page and doing a simple query to fetch for account numbers and got plenty.

[ATTACH=full]34777[/ATTACH]
Having some samples i went over to the telegram bot and easily changed my account to the sample i had obtained, from there i got some basic details about the individual behind the account:

[ATTACH=full]34778[/ATTACH]

Even phone number and balance:

I got more curious and decided to try some random numbers and to my surprise some worked, for instance what was the first account created at zuku #1 ? here you go.

[ATTACH=full]34780[/ATTACH]

This is a goldmine for the conmen in Kamiti, imagine knowing a persons name, number, their bill and when it was due, perfect scam.So if i had sufficient motivation i would scrape their entire db and hand it over to whoever might find the data useful.I don’t feel motivated though.But wait, how do they parse the account id? there’s some potential for some classic SQL injection, this could be good…

SELECT fieldlist
FROM accounts
WHERE account_id = ‘#2334234’‘; DROP TABLE accounts; --’; – BOOOM!

That didn’t work, but it would have been exciting, apart from the handing out of private details, i can say the other parts are secure. Wacha nilale kesho ntajaribu kusoma meter numbers za watu na ile bot ya kenyapower.

system · March 22, 2016, 10:48pm

wacha niunde script python to mine me that data

system · March 22, 2016, 11:16pm

Makosa ni ya both Zuku na hao customers. Someone should not put anything that uniquely ID’s them on a public web page. And it shouldn’t be that easy to get personal info.

The_Virus · March 23, 2016, 1:39am

Makosa ni ya Telegram. You can’t get the same information using Twitter or Google.

system · March 23, 2016, 3:58am

How so? Telegram provided the API and Zuku misused it.

The.Black.Templar · March 23, 2016, 4:07am

Security squarely lies with the developers at zuku…not telegram

aviator · March 23, 2016, 4:47am

Na ya ktalk iko aje? Can you get me Slutty_Butt’ s number?

pamba · March 23, 2016, 5:12am

Hio ya ktalk ndio iko na shida, posted a thread ikatoa majina yangu yote.

Mathaais · March 23, 2016, 5:28am

He he, Elijah Wephukulu.

vuja_de · March 23, 2016, 6:58am

Droid 254 niaje

[ATTACH=full]34803[/ATTACH]

Rene_Descartes · March 23, 2016, 7:26am

Why should you be tweeting or posting any unique number of yours online?

danji1 · March 23, 2016, 7:34am

Zuku should reprogram their bot.

Davidee · March 23, 2016, 9:21am

A rogue bot

aviator · March 23, 2016, 9:40am

Now that we are talking about privacy, isn’t Safaricom exposing our privacy with the MPesa confirmation thing? All I need to get your full names is to attempt to send you money, then reply with a 1 before the transaction goes through.

Mzee_mzima · March 23, 2016, 9:44am

:D:D

MISCHIEF · March 23, 2016, 10:37am

Nipewe link ya Ktalk BOT

system · March 23, 2016, 11:01am

https://telegram.me/KtalkBot
http://www.kenyatalk.com/index.php?threads/official-telegram-bot.20067/

Rlakanau · March 23, 2016, 7:31pm

Programmable IM (instant messaging) is the killer feature that’s going to make telegram overtake whatsapp. The bots are going to take over, i was surprised to see the likes of kenyapower, zuku and even ktalk launching their official bots, i took some interest in the bots and studied them for a while;If not implemented properly these bots could expose a weakness in the system.
Take for instance zuku’s bot, it allows one to enter their account id and query some details, i took the liberty of visiting zuku’s twitter page and doing a simple query to fetch for account numbers and got plenty.

[ATTACH=full]34777[/ATTACH]
Having some samples i went over to the telegram bot and easily changed my account to the sample i had obtained, from there i got some basic details about the individual behind the account:

[ATTACH=full]34778[/ATTACH]

Even phone number and balance:

I got more curious and decided to try some random numbers and to my surprise some worked, for instance what was the first account created at zuku #1 ? here you go.

[ATTACH=full]34780[/ATTACH]

This is a goldmine for the conmen in Kamiti, imagine knowing a persons name, number, their bill and when it was due, perfect scam.So if i had sufficient motivation i would scrape their entire db and hand it over to whoever might find the data useful.I don’t feel motivated though.But wait, how do they parse the account id? there’s some potential for some classic SQL injection, this could be good…

SELECT fieldlist
FROM accounts
WHERE account_id = ‘#2334234’‘; DROP TABLE accounts; --’; – BOOOM!

That didn’t work, but it would have been exciting, apart from the handing out of private details, i can say the other parts are secure. Wacha nilale kesho ntajaribu kusoma meter numbers za watu na ile bot ya kenyapower.

kumbe yourw not mūrīa gīko(shit eater)after all…I bow down

system · March 23, 2016, 11:44pm

Hahahahahaha huyu ni Gecko Moria | One Piece Wiki | Fandom

uwesmake · March 24, 2016, 3:28pm

pole weps