Davide Aversa Logo

Mastodon Icon RSS Icon GitHub Icon LinkedIn Icon RSS Icon
Programming

How to build a Telegram SpyBot

Internet/Tech literate people continuously talk about privacy. The majority of people, however, do not care. This is hard to digest for the first group of people, but it is the truth and we should start considering this fact to make things better in the future.

Why I’m talking about this? Because, in the last weeks, I’ve found an extremely easy way to spy any Telegram group. It is not a dark market secret (in fact it is perfectly documented in the Telegram Bot API), but works perfectly because nobody cares. While every internet and privacy activist is talking about how Google, Facebook and Yahoo are spying on our email, telegram bots that are actually logging all the messages in all the groups in plain text. They are bot, by unknown programmers, without ToS, without anything, reading all your messages and potentially storing them who knows where.

So, I will explain to you how to build a Telegram SpyBot. Hopefully you can use it to teach some privacy lesson to your friends.

Register Your Bot

The first step is to set up your bot with the standard BotFather as described here. The procedure is very easy, the "both who makes bots" will ask you simple questions such as the name of the bot, its description, its nickname and so on. At the end, you will receive a Telegram Bot Token string that we will use later to authenticate our software.

This is the standard way to initialize a bot. However, you we will do another small step. We disable the bot privacy with the /setprivacy command. This is the key point. The privacy setting allows the bot to receive only messages directed to it or messages starting with the character “/”. If you disable this, your bot will receive everything.

The Code

The code is so simple that anybody can do it.
import sys
import time
import telepot

TOKEN = ‘YOUR_BOT_TOKEN’


def handle(msg):
content_type, chat_type, chat_id = telepot.glance(msg)
print(content_type, chat_type, chat_id)


# LOG EVERYTHING!
print(msg['text'])

if content_type == 'text':
    # Do something fun with your bot.
    pass

bot = telepot.Bot(TOKEN)
bot.message_loop(handle)
print(‘Listening…’)
while 1:
time.sleep(10)
We use the telepot library to have a nice interface with the Telegram APIs, but you can use whatever you want. This bot does absolutely nothing except logging all the messages in the group. Now, you have to put this bot in a group in which you are not invited, but, obviously nobody will add a bot that does nothing at all. So you can spend sometime to make this bot useful or fun, like sending pictures of boobs when somebody say boobs, or some other very advanced social engineering powered stuff.

That’s it. Run the bot and enjoy your logs.

Hey! Somebody will see that the bot is in "sniff mode"!

[caption id="attachment_1735" align="alignleft" width="309"]Guess the spy-bot? It is easy! Guess the spy-bot? It is easy![/caption]

That’s the painful point. Obviously, Telegram provides this information. If you look at the list of users in a group, under the bot there will be a clear message: “this bot has access to messages”. However, you will see that nobody will check and nobody will care.

And no, I’m not speculating. SpacoBot is an Italian bot with spyware capabilities that is into groups where there are a hundred of thousands of Telegram users. I don’t know if they are actually logging the messages, but they can, and nobody talks about that. I am sure that there are similar bots in other languages too.

Conclusion

There are many considerations at this point. The first one is the observation that nobody in real life really care about privacy. While we talk about end-to-end encryption, there are people who are totally OK with using a bot to log every message in plain text.

Second observation. This is not a complete fault of Telegram. They allow you to throw away your privacy, and people are accepting this. So the problem is mostly in the people. However, Telegram has done some really sloppy decisions:

  1. Telegram should not allow this kind of bots at all.
  2. If you really want/need to allow bots that are capable of answering to any message, then you should emphasize the drawbacks. When a bot like this is added to a group I want a giant red message that explains that the new added bot has access and can log all the messages in the group. Nowadays, we have nothing. People must go to the users list and read that light text message under the bot avatar. In my opinion, this is not enough.
I hope you keep an eye on the bots in your Telegram's groups from now on.

Header image via Reddit