Potential vulnerability with Telegram "Stars" payments in bots #231
Description
Problem
There is a possible vulnerability in how some Telegram bots and libraries for developing them handle payments made with "stars" (Telegram's internal currency). The problem is as follows:
- Some bots implement a payment system where users can pay for services or features using Telegram "stars".
- There are Telegram clients that can fake the number of "stars" at the client level. This means users can artificially increase their "stars" count.
- Some bots accept these fake "stars" as payment, even though there is no real transaction behind them.
Example of this behavior:
Note
However, the problem may NOT be caused by anything implemented in the library itself. In many cases, it could be related to how individual bots are implemented, or even be a vulnerability in Telegram itself. Still, it is important for bot libraries to raise awareness about this issue, as it may affect bots built with this libraries.
Proposal
- Conduct an investigation or audit to determine whether go-telegram library (and bots built with it) could be impacted by the abuse of fake Telegram "stars" for payments.
- If relevant, improve documentation to warn library users about this problem and explain the security risks with Telegram "stars" payments.
- Provide guidelines or helper functions on how to validate such payments properly (for example, by always verifying payment status server-side through Telegram, not relying on client data).
- Optionally, propose changes to the library, if a technical fix or mitigation is possible.
Arguments
- Some bots and/or libraries may be vulnerable because they do not properly validate payments.
- Telegram clients that allow fake "stars" can abuse such payment systems.
- Developers and library maintainers should be aware that this risk exists and double-check payment validation logic.
- Documenting the issue and sharing mitigation steps will help reduce the risk for bots using the library.