Unusual application of the bot for Telegram and Telegram security check

Some time ago I was talking about my project. Do not call! Where, when adding your phone number to the registry, you must confirm that this is your number.

Standard methods of confirmation - SMS or call is pretty good, but not free. The SMS.ru we use, for example, one SMS costs 1.5 rubles (“SMS for 25 kopecks,” which is said on the main page is a lie, there is no such tariff).

What are the free ways to confirm the number? The following came to my mind:

1. Ask the user to send us an SMS from his number. It was not possible to find a free Russian number that would receive SMS and send them, for example, to the post office (previously Zadarma had such an option). Using a non-Russian number would scare users away. An alternative solution - a personal number, android, and an application such as an SMS Gateway - does not inspire confidence in terms of reliability and bandwidth.
2. Ask the user to call us from your number. Even more difficult to implement option.
3. Check through Telegram.

The last option seemed interesting. How it works? The bot asks the user to choose a site for authorization, and then requests the user's phone number. If the user reports his phone number, the bot confirms the phone number on the selected site.
')
In the Telegram Bot API, you can request from the user his phone number:

>>> contact_keyboard = telegram.KeyboardButton(text="send_contact", request_contact=True) >>> custom_keyboard = [[ contact_keyboard ]] >>> reply_markup = telegram.ReplyKeyboardMarkup(custom_keyboard) >>> bot.send_Message(chat_id=chat_id, ... text="Would you mind sharing your contact with me?", ... reply_markup=reply_markup) 

If the user agrees to give the bot his phone number, the bot receives the following:

 { "update_id": 912872664, "message": { "message_id": 57, "from": { "id": 777777, "first_name": "Ne Dimon", "last_name": "On vam", "username": "onvamnedimon" }, "chat": { "id": 777777, "first_name": "Ne Dimon", "last_name": "On vam", "username": "onvamnedimon", "type": "private" }, "date": 1492274787, "contact": { "phone_number": "79160000001", "first_name": "Ne Dimon", "last_name": "On vam", "user_id": 777777 } } } 

Can a user send a non-phone number? Can. The user instead of the answer "Yes" bot can send any other contact from his phone book. But at the same time contact/user_id in this case will not be equal from/id , and the bot will know that someone else’s contact has been sent to it.

I was interested in the question - is it possible using a modified Telegram client to send someone else's phone number with their id. @BotSupport Telegram claims that this can not be done (perhaps there is a check on the server). But I don’t really trust them (especially Russian-language support), so I propose the task - to confirm the number (916) 000-00-01 on our website (I checked that the subscriber is not available by this number, I think this number does not exist). To do this, go to the bot link and send the number (916) 000-00-01 with your id to the number request.
The permanent program of Bug Bounty for Telegram, as I understand it, does not exist, because the one who copes will not get much. Although, it will be possible to get some information about someone, for example, in the bot of the Tinkoff bank;).