When I access to my telegram-bot, after some time, it requires user authentication with the text:
"Stand by...
Hi there!
Before We Can Continue We Need To Verify That You're a REAL User"
When this message appears it seems session is closed, and the user can't receive Bot notifications, until user authenticates.
I can't understand why this authentication is required if I am storing each user telegram_id.
Your bot token might have exposed on git.
You need to change the token.
Instead of hard coding it in the code, pass it as an environment variable.
Just had the same issue!
I guess, someone scraped my bot-token from public repository and tried to steal my account. NEVER leave your bot-token in public rep!!!
Detailed description for others to find this thread:
Bot sent, what it was programmed to do and then
"Hi There!
Before We Can Continue We Need To Verify That You're A REAL User"
Telegram sent me login code -> I entered it (yeah, I'm dumb)
Bot printed
"Please reply with your 2FA (Two Factor Authentication / Two Step Verification) code"
then
"Timeout has been reached , pleaase try again."
(I like the pleAAse part, where you understand it was totally fake)
Telegram said it was
Device: Android
Location: Bulgaria (IP = 185.95.157.122)
I discovered what was wrong!
Lev Vasilyev answer made me think if somebody was able to get my bot_token. So, I changed it. And, the authentication message no longer appeared.
It´s important to get into telegram allowed devices, and delete not authorized accesses.
My bot has ""Stand by... Hi there! Before We Can Continue We Need To Verify That You're a REAL User" too.
When I proceed and send authentication code and sms from Telegram was received I had been authorized as Samsung Galaxy s20 5g from Seychelles ip adress which was not mine... This was very strange. If anybody had that experience please post your answer too. Maybe somebody had stolen my bot ...Sorry if my English not very correct and nice. I hope you understand.
I had the same problem, changed the Token and resolved the problem. I needed set the webhook again to work.
All replies are correct:
your token has been stolen and used by hackers, once you enter your credentials - you will see unknown sessions in your telegram.
Change token via BotFather and do not publish it in public places.
If you have already put your cred's to the telegram bot - you need to change the password immediatelly.
Related
I can't get Firebase to send verification emails, anyone with the same issue?
I've created an account, enabled Email/Password, and added users.
However, when I go to the Users tab in Authentication, chooses a user and presses Reset password, Firebase tells me, that the email is send, however I never receive it?
I've tried with multiple different emails (gmail, hotmail etc) and looked through spam etc, however I never receive the email. What am I doing wrong? Some setting somewhere I need to tick-off? Rookie question, I know, but frustrating. Thanks!!
I get the same problem with an user, he didn't receive any email with his work email address from Firebase magic link authentication.
I'm still using Firebase as provider but I think to integrate with sendgrid soon.
I am using Google Analytics API to fetch analytics data. I tried to authenticate it using following steps:
Created OAuth client ID in https://console.developers.google.com/ credentials section.
In consent screen I had set publishing status as testing
In OAuth 2.0 Playground I got the refresh token using above generated client id and client secret
Then I am using it to generate access token through it.
But after a few days, the refresh token expires although it is mentioned that the refresh token's validity is life long.
If your app is in testing mode then user tokens will expire in 7 days. Please find this explanations here: https://support.google.com/cloud/answer/10311615#zippy=%2Ctesting
I needed to send mails from a gmail account that I have access to, using nodemailer. It works for a couple of days before my refresh token is mysteriously revoked, even though the account belongs to me. A google search brought me here and I had been watching for a while hoping someone would help with a solution.
As you mentioned, this seems to happen with only test/unverified apps and I'm guessing google revokes tokens for such applications in your account after a few days. After much trials and errors, here is what I did.
NOTE: This is solution is only applicable to accounts you own, otherwise you must verify your app to access other people's accounts
Generate a new refresh token (existing one is most likely revoked) as described in this SO post
Go to the security tab of your google account dashboard
Under the Recent security activity section, you should see a security alert for your app.
Click on the context menu next to the notification and click DISMISS
At this point you'll be presented with a dialog of options where you indicate the level of trust you have for the app. I just went ahead and said I trusted the developer/app, obviously. And that's it! The refresh token should persist after this.
I could not find anything related anywhere else.
The other answer pointed me in the right direction but for me the option was located somewhere else: security > security checkup/security issues found > context menu next to your app > dismiss
This issue seems to be for unverified apps, Simply delete the token file from your project and rerun the project, it will create a new token.
My problem was when I've added access_token instead of refresh_token.
What I did:
Go to https://console.cloud.google.com/apis/credentials/consent and change from the testing status to published.
Delete the current token file.
Authorize the API again by signing into your gmail account. You will be sent to a warning screen. From there, you can choose to proceed.
When done you'll get a new token file
The solution is to delete your token.json file to force Google to find a new token.
I was able to get it to work WITHOUT a verified app. Perhaps the refresh() method will work once my app is verified. Not sure on that one.
This question is not language specific.
I want to send my username and password as soon I get logged off from the captive portal because many people are using an admin ID (infinite data benefits) in my college and I want to send the http POST packet asap.
So I want to run a piece of code which runs infinitely (as long as I am online) send the username and password and I have absolutely no clue of how to go about it, is there a batch file that I can run? or something else I haven't the slightest clue.
This is a simple python automation problem. Try this:
How I created a Python Bot to automatically log into a Captive Portal by Ritvik Khanna https://medium.com/p/how-i-created-a-python-bot-to-automatically-log-into-a-captive-portal-3d4ba04dee9f
In private chat with a bot (a user and a Bot), is it possible to edit/delete user messages? I am creating a Telegram Bot for registration. As a registration step, the users insert their password, and for security considerations, I want to replace it with stars or delete it. Any idea?
It is as simple as calling deleteMessage with chat_id and message_id
https://core.telegram.org/bots/api#deletemessage
EDIT:
As #mohamad-mehdi-rajaei mentioned in his comment, this method seems to be just to delete bot sent message, not user sent message.
The only solution I can imaging is to provide a numeric password inline keyboard to user and ask him/her to enter password by pushing your numeric inline keyboard buttons. In this way nothing be logged in client, and you manage user input as callback data in server side.
Bad thing with this approach is that user became limited to numeric password.
Bot API 4.2 changelog (updated April 14, 2019):
The method deleteMessage can now be used to delete messages sent by a
user to the bot in private chats within 48 hours.
Since the method signature is not changed, any wrapper/framework (like python-telegram-bot) support this operation by now.
This seems to provide s a solution - https://github.com/yagop/node-telegram-bot-api/issues/328 .
Basically, there's a deleteMessage endpoint you can use - https://core.telegram.org/method/messages.deleteMessages, passing it the message ID. So when you get the message (with it's ID), just delete it.
net website, i would like to implement forget password. I am using following steps
Form having input box for login Id and email Id and CAPTCHA
when user enter details and submit, at backend after validation new password is generated and replaced old password at database.
New passowrd is send to user at email.
Please help me whether i am doing right or not?
Is there any other secure mechanism for the same?
[EDIT]
Thanks, i got your reply. Really this is a secure mechanism. But here i have few doubt
What message should i shown to user when he enter loginId and email address at forgotten password page?
Whether message would be same for valid user and mallicious user?
Advantage of using CSRF token? Any help / link
When user click on link then what should i do; because as i guess user should automatically loggin into their account -then after that i have 2 choice (first) send new password automatically to user (second) new form will shown to user where user will enetr old password and new password twice?
Please help?
I can see why you'd want a CAPTCHA, but I'd take a different approach.
When a password reset is requested check that a reset has not already been requested for that account within the last X minutes. If a password has already been requested ignore the reset request.
Check the IP requesting the password reset. If that IP has requested a password reset in the last Y minutes ignore the request.
If the checks in 1 & 2 pass check the account exists. If it doesn't ignore the request.
If we've gotten this far generate a one time token, which expires in Z minutes and a password reset URL which encompasses this token. Email this to the registered email address. When the URL is loaded prompt for a new password and reset.
For those who believe that you should tell the user where the email has gone I strongly disagree. This is "information leakage", even if you do limit it to the domain name. For example say I've registered on JeffAtwoodEatsBabies.com as blowdart. If Jeff had requested a password reset for me and you showed the registration domain then he'd see idunno.org. This is my personal domain and thus Jeff would know the blowdart user is, in fact, me. This is a bad bad thing. I should not have to register using hotmail or gmail or whatever in order to protect myself from your code showing an email domain to all and sundry.
In addition you shouldn't be showing error messages at all. No matter what happens, a username is not actually registered, or too many requests have been made or the sky has fallen you should be telling the user that the password reset procedure has started. Informing a user that an account doesn't exist is more information leakage.
One final thing you could do is add a CSRF token to the reset request page, so it cannot be driven from other web sites.
Followup
So to answer your further questions.
What message you show is up to you. "Instructions for resetting your password have been emailed to the registered email for this account" is one idea, but really it's down to your audience.
Already addressed above.
Wikipedia is a good starting point. How you do it depends on your platform and is a complete other question! For ASP.NET you could look at my codeplex project, http://anticsrf.codeplex.com or look at ViewStateUserKey.
When the link is clicked I would first validate the token in the URL against the username it's being applied to then I would either allow the user to enter a new password, or generate a new one and email it. You can't prompt for the old one, as the whole point is the user has forgotten it!
There are many ways this has been implemented. As you said, generating a new password and sending it to the registered email address is one method. I wouldn't suggest you go that route though, as my password would be reset everytime somebody tried guessing my password.
Instead, the best thing I've seen to date is simply emailing the registered email with a link that will begin a password reset process. You may even let the user know which email address to check by showing a masked version of their email address used in registration:
An email was sent to ********#hotmail.com. Please check your inbox to continue.
Be sure to keep in consideration those of us who may forget which email address were registered with - typically a few security questions are a great way to make that information available.
I've done that recently. When the user enters their username or email address, we generate a unique token and email it to them as part of a link. Upon receipt of that email, they click the link, and are automatically logged in, taken to the my account screen, and prompted to reset their password.
Of course, this relies 100% on the security of the email client, but it's hard to beat from a usability perspective.
You shoud check the answer to the question : Can anyone provide references for implementing web application self password reset mechanisms properly? from D.W. on security.stackexchange.
It is the most complete answer I found on the subject. I also suggest you to read this article : Everything you ever wanted to know about building a secure password reset feature