CRITICAL ISSUE: TELETHON FORCES LOGOUT FROM ALL DEVICES AFTER CODE EXECUTION

[vo0ov]

Code that causes the issue

from telethon import TelegramClient

api_id = 123
api_hash = 'secret'

client = TelegramClient('session_name', api_id, api_hash)

async def main():
    await client.start()
    print("Session started")

client.loop.run_until_complete(main())

Expected behavior

The session should start, and the user should remain logged in on all devices.
Existing sessions (including the official Telegram apps) should remain active.
The account password should remain unchanged, and there should be no forced logouts.

Actual behavior

10-15 SECONDS AFTER RUNNING THE CODE, THE ACCOUNT IS FORCEDLY LOGGED OUT FROM ALL DEVICES.
It is extremely difficult to log back into the account after this forced logout.
On the first login attempt, it often fails completely, making the account almost inaccessible.
On the second attempt, I managed to log in and had to IMMEDIATELY change the cloud password within the first 10-15 seconds before another forced logout occurred.
After changing the cloud password, the forced logouts IMMEDIATELY STOPPED.

Traceback

There is no traceback because the issue does not cause a crash. However, the problem occurs immediately after running the code.

Telethon version

1.38.1

Python version

3.11.0

Operating system (including distribution name and version)

Windows 11

Other details

Steps to reproduce:

1. Install Telethon via pip install telethon.
2. Run the provided code snippet.
3. Observe that within 10-15 seconds, all active sessions are forcibly terminated, and the account becomes inaccessible.
4. On the first attempt to log in, it is nearly impossible to regain access.
5. On the second attempt, if successful, IMMEDIATELY change the cloud password within 10-15 seconds before another forced logout occurs.
6. Once the cloud password is changed, the forced logouts STOPPED completely.

Security concern:
This behavior raises SERIOUS SECURITY ISSUES and suggests potential unauthorized or malicious behavior within Telethon. I downloaded the library directly from PyPI using pip.

The account password WAS NOT RESET during the forced logouts, which gave me the opportunity to recover my account by changing the cloud password.
This behavior strongly suggests that Telethon is involved in some kind of unauthorized or malicious session manipulation.

THIS IS A CRITICAL AND URGENT ISSUE. TELETHON IS FORCIBLY TERMINATING SESSIONS ACROSS ALL DEVICES AND RENDERING ACCOUNTS NEARLY INACCESSIBLE. IMMEDIATE INVESTIGATION IS REQUIRED TO DETERMINE IF TELETHON CONTAINS MALICIOUS CODE OR A SEVERE SECURITY FLAW IN SESSION HANDLING.

Checklist

• The error is in the library's code, and not in my own.
• I have searched for this issue before posting it and there isn't an open duplicate.
• I ran pip install -U https://github.com/LonamiWebs/Telethon/archive/v1.zip and triggered the bug in the latest version.

[vo0ov]

The owner of the library has been inactive for a long time. It’s POSSIBLE that their account was COMPROMISED.

My computer is COMPLETELY CLEAN. I have many other sessions from Pyrogram user accounts and bot tokens stored on this machine, and NONE of them have ever been compromised. Yet, my account was IMMEDIATELY HIJACKED — WITHIN JUST 10 SECONDS of running the code ON TELETHON.
This CANNOT be a coincidence, as there is no way my account was stolen from any other files or sources on my system.

[vo0ov]

This WAS CLEARLY NOT Telegram's automated moderation against bots. After changing my password, the issue COMPLETELY STOPPED. If this were Telegram's moderation, it would have continued logging everyone out of the account under ANY conditions.

[Lonami]

Appreciate the detailed report.

This behavior raises SERIOUS SECURITY ISSUES and suggests potential unauthorized or malicious behavior within Telethon

You're welcome to audit the library. Telethon is not doing anything you don't ask it to do. But I understand that you don't trust my word for it, if you don't trust the library either.

This behavior strongly suggests that Telethon is involved in some kind of unauthorized or malicious session manipulation.

It is not. All code in Telethon was either written by me or reviewed by me, and no such "malicious manipulation" takes place. You can diff the code installed by PyPi with the one in the repository if you believe the PyPi package was manipulated (I publish it from my local machine, not a GitHub action, and I have OTP enabled.)

THIS IS A CRITICAL AND URGENT ISSUE.

I've been developing the library for years and have never had this issue, so I cannot reproduce. Other people can (#4051 is currently pinned), so I will close this as a duplicate.

TELETHON IS FORCIBLY TERMINATING SESSIONS ACROSS ALL DEVICES

Telegram is, not the library.

IMMEDIATE INVESTIGATION IS REQUIRED TO DETERMINE IF TELETHON CONTAINS MALICIOUS CODE OR A SEVERE SECURITY FLAW IN SESSION HANDLING.

Assuming I as the main developer cannot be trusted, someone else must perform such review.

The owner of the library has been inactive for a long time

This is not true. The last commit, 225ea9c, was merged 3 weeks ago, and I still respond to issues to the capacity that I can.

It’s POSSIBLE that their account was COMPROMISED

I have not received any such emails of unsuspected logins, and all my passwords are randomly generated.

my account was IMMEDIATELY HIJACKED

Hijacking implies the account was taken control over. Did this actually happen, or did Telegram simply kick you out?

This WAS CLEARLY NOT Telegram's automated moderation against bots

I'd like more concrete proof of this.

As it stands, this issue is not actionable.

[vo0ov]

Appreciate the detailed report.

This behavior raises SERIOUS SECURITY ISSUES and suggests potential unauthorized or malicious behavior within Telethon

You're welcome to audit the library. Telethon is not doing anything you don't ask it to do. But I understand that you don't trust my word for it, if you don't trust the library either.

This behavior strongly suggests that Telethon is involved in some kind of unauthorized or malicious session manipulation.

It is not. All code in Telethon was either written by me or reviewed by me, and no such "malicious manipulation" takes place. You can diff the code installed by PyPi with the one in the repository if you believe the PyPi package was manipulated (I publish it from my local machine, not a GitHub action, and I have OTP enabled.)

THIS IS A CRITICAL AND URGENT ISSUE.

I've been developing the library for years and have never had this issue, so I cannot reproduce. Other people can (#4051 is currently pinned), so I will close this as a duplicate.

TELETHON IS FORCIBLY TERMINATING SESSIONS ACROSS ALL DEVICES

Telegram is, not the library.

IMMEDIATE INVESTIGATION IS REQUIRED TO DETERMINE IF TELETHON CONTAINS MALICIOUS CODE OR A SEVERE SECURITY FLAW IN SESSION HANDLING.

Assuming I as the main developer cannot be trusted, someone else must perform such review.

The owner of the library has been inactive for a long time

This is not true. The last commit, 225ea9c, was merged 3 weeks ago, and I still respond to issues to the capacity that I can.

It’s POSSIBLE that their account was COMPROMISED

I have not received any such emails of unsuspected logins, and all my passwords are randomly generated.

my account was IMMEDIATELY HIJACKED

Hijacking implies the account was taken control over. Did this actually happen, or did Telegram simply kick you out?

This WAS CLEARLY NOT Telegram's automated moderation against bots

I'd like more concrete proof of this.

As it stands, this issue is not actionable.

How could this happen? I’ve been using Pyrogram without any issues, even with multiple clients running simultaneously. However, the moment I launched a user bot with Telethon, all active sessions were forcibly logged out of the account. This behavior is unexpected, and I would like a detailed explanation.

[Lonami]

People use Telethon to spam. Telegram picks up on it and becomes more strict. There is nothing the library can do about it (and I'm not willing to play the cat-and-mouse game).

Plenty of people use Telethon with no such issues (otherwise, I cannot explain why the library is as popular as it is). So my best guess is, it really is Telegram, and we have no way to know what they check for.

I would like a detailed explanation

All I can tell you is Telethon isn't doing anything fishy to my knowledge, and you're welcome to review the code. Happy to fix issues if were to encounter any.

[vo0ov]

People use Telethon to spam. Telegram picks up on it and becomes more strict. There is nothing the library can do about it (and I'm not willing to play the cat-and-mouse game).

Plenty of people use Telethon with no such issues (otherwise, I cannot explain why the library is as popular as it is). So my best guess is, it really is Telegram, and we have no way to know what they check for.

I would like a detailed explanation

All I can tell you is Telethon isn't doing anything fishy to my knowledge, and you're welcome to review the code. Happy to fix issues if were to encounter any.

Thank you for your response.

1. I am not using the user bot for spamming.
2. Everything works perfectly fine with Pyrogram under the same conditions.

[Lonami]

I am not using the user bot for spamming.

I did not imply such thing. I am saying many others do, and Telegram knows some use Telethon for such activities.

Everything works perfectly fine with Pyrogram under the same conditions.

The order of requests or initialization parameters sent to the server likely differ, so the conditions are not the same.

[vo0ov]

I am not using the user bot for spamming.

I did not imply such thing. I am saying many others do, and Telegram knows some use Telethon for such activities.

Everything works perfectly fine with Pyrogram under the same conditions.

The order of requests or initialization parameters sent to the server likely differ, so the conditions are not the same.

How about sending requests in the same way as Pyrogram? If the difference in request order or parameters is the issue, aligning them might help avoid triggering Telegram's strict actions.

[Lonami]

How about sending requests in the same way as Pyrogram?

As I've said before:

I'm not willing to play the cat-and-mouse game

"Fixing" this would just mean Telegram would eventually learn this, people would continue to spam, and the story repeats.

[ValiumBear]

Can reproduce and the fix worked too fortunately