Discord Screwed Up… Badly
Вставка
- Опубліковано 19 чер 2024
- What happens when you forget to follow the most fundamental thing about building a website? Well you get creative NFT and crypto scammers abusing Discord's incompetence to create the ultimate way to get your Discord account stolen. If you visit a specific page on Discord's website, you instantly get your account stolen. No clicking on phishy (pun intended) links or downloading an exe file. You visit the discord page and it's already over.
What a completely laughable and preventable event that occurred. Thanks Discord 👎
LINKS
-----------------------------------------------------------------------------
Server Forge Overview
/ 1603515845195472902
JustCC's ELI5 + upsetness
/ 1603337868428152834
Vice banger article
www.vice.com/en/article/wnjwb...
SOCIALS
-----------------------------------------------------------------------------
Discord Server
/ discord
TIMESTAMPS
-----------------------------------------------------------------------------
00:00 - The scam
01:24 - Explanation
06:04 - Why this is unforgivable - Наука та технологія
Wow... This is a school grade level exploit. Anyone who paid attention to basic website security knows how to prevent this attack. And yet Discord's dev team is so incompetent that it couldn't even prevent something this basic.
discords dev team is 12 year olds what want the badge
So why it this action not considered as in purpose? If so much money is being stolen, then a kickback is obvious.
@@0.r0 who wants
@@0.r0 You seem like you're 12 with that spelling. Discord devs work at discord for money not a badge? And you have to be over 18 to actaully work at discord.
Bros the developer police 😭 the devs have hundreds of things to do they aren't able to check every little thing
The crazy thing is that React (which Discord is built with) literally has XSS protection built into it, meaning the developers had to deliberately go out of their way to make this exploit possible.
Discord is made with electron
@@Choroalp youre dumb
@@hovac. yes i am(and how do fuck you managed to find me)( some people saying itami might be backdoored)
@@Choroalp electron is the desktop framework, react is the frontend framework which discord is built with
@@Choroalp electron is just repackaged chrome and nodejs. You can use any framework with it, including react, which is what discord does
They use React and still got an XSS issue?! That's honestly unforgivable.
lmaao
Lmao someone just likes using dangerouslySetInnerHTML
@@jackdavenport5011 lmao they should just change it to innertext and its gone
Do they even code review at this point
@x41ih10a You're right lmaoo
God, the absolute leveling that this guy does is addicting.
This guy feels like one of those parents that would go: "Yeah, school sucks, heres why it sucks-"
Facts
Nah it's true tho
is is
Why don't we create a script that generates tokens and sends them to all known token saving sites? Fill up their databases and have them be less effective
Actually, I found my goal for today xD
Safer to send junk and not actual tokens. Provided they don't have checking it'll still work and doesn't carry the risk of accidentally sending a legit token.
well there is a chance you can generate a legit token
@@polaris2707 Yea, would probably make sure to add or remove some random part to it to be safe
Exactly my thought. You just need to put it trough a service that sends it from different IP addresses first or they can filter it easily.
Fun fact. Changing your password doesn't always work. I actually once got hacked on Discord, and instantly changed my password the moment I knew what had happened. Before the scammer even had a chance to do it themselves. They still got control of my account.
Next level tomfoolery indeed.
In token stealing exploits, you may have to explicitly invalidate all your login sessions, which discord does allow you to do. Changing passwords doesn't necessary invalidate all existing login session tokens, though if discord had any sense they should.
They probably just send an automatic POST request to change the password to the discord server upon receiving the token immediately. Most likely that's why you don't have time to change your password in time
This seems to be a monthly thing now. Just don't click links. Simple
XSS vulnerabilities like this one are very rare.
I dont know if I should say this but I literally saw/knew a guy who said he can just token grab people by just giving a invite link and that was over a year ago ,just how many people have known about it before this vid almost scary
i mean, this link is looking safe. So the only possibility is, to not use the internet at all or don't use services like discord (what ever this means)
@@AANyt or just don't be dumb and have like 3000 layers of protection ezez
@@SurmenianSoldier or don't be dumb and click on whatever unsuspecting tinyurl links you see pop up
I've heard Twitter had a self-retwitting script that works just like this, but that was several years ago.
Can't believe this still happens
ua-cam.com/video/zv0kZKC6GAM/v-deo.html
@@Coder_Tavi links get censored by YT (only the poster can see it, nobody else), which might explain why it's showing "2 replies" yet only one shows up
It was TweetDeck not Twitter as far as I know
NTTS is a youtuber I actually like to watch nowadays, even tho its about subjects I don't even know much about or affects me
@@stavratum 💀
@@stavratum if u don’t care then why’d you respond
@@izzyxvibes cause he is a fan
@@stavratum we don't care that you don't care
@@stavratum you seem like an angsty teenager with a "p" addiction.
I’m honestly astounded that in 2022, Discord of all companies managed to accidentally create an XSS exploit.
Well Google had one, so why stop the incompetence there?
Bro u clearly know nothing.
1. They didnt create an XSS Exploit, a person which found the vulnerability created the exploit
2. Even in Google, Nvidia, Apple etc. are xss, and even more dangerous vulnerabilities (like ssrf, or with that RCE) found (daily), so pls dont just talk shit about discord, when u clearly know nothing about this topic.
Look at for example Hackerone and see how many reports are daily submitted and resolved.
@@testuser1235 I ain't your "bro", either way you're still incorrect. Discord developed the application therefore they created the exploitable surface. Perhaps I didn't make that part of my comment clear.
I'm not sure why you're white knighting Discord as if they're gonna give you a job for defending them...
@@sluuuudge nah, im Not defending them, but I just can‘t stand people who think, Discord is the only Company who has vulnerabilities like that.
@@testuser1235 discord is the one company getting fame astoundingly fast ,with mass comes critics
Discord try not to create a security vulnerability with every new feature challenge (impossible)
Someone, please make this man a Discord Mod. He does figure out more than discord itself.. Hats off man. Love from India
NO OH GOD PLEASE DONT MAKE HIM A DISCORD MOD I DONT WANT TO BE HIS KITTEN
@@clouderinospooky
WHY ARE INDIAN PEOPLE EVERYWHERE LITERALLY EVERY COMMENT I SEE IT SAYS "LOVE FROM INDIA" AT THE END
@@itsarian. because they had too many kids
Why tf you insulting him for? Why do you want him to be a discord mod?
This is as good as a reminder to everyone to SANITIZE YOUR INPUTS.
xkcd reference
@Jimmeh make inputs(what they user types in a text box) basically only work for the purpose you give them, no funky business, lol
@@QUASAR098 Happy holidays to Bobby Tables
@@jimmydabear Design your website so that if the user types in computer code instead of a password their code doesn't get run.
This has nothing to do with input sanitation lmao
Discord messed up??!?! No way! Impossible!
-_-
Who could have guessed???
This is the first time this has happened in so long, I forgot Discord ever messed up!!!!!
Looks like $800K wasn't that much for Discord, they should be again fined
there should be (again) in the title 😂
Lol
Following this logic, the next exploit is gonna be "someone accidentaly typed 'DROP DATABASE discord' oops"
Or used "gets(password)"
IIRC they use nosql database, it would be impossible for that to happen, but xss, yea, those are different
The only vulnerability that's more unforgivable than XSS is SQL injections...
That this happened to a big company like Discord is even worse...
I appreciate you making these videos. I love waiting to get into a MW2 match and watching discords biggest mistakes.
MW2?
@@jn567 Modern Warfare 2
@@jn567 jc isn’t really a gamer if he doesn’t know what modern warfare 2 is
@@uhKilz facts, he's probably 9 years old and plays Minecraft.
Thank you for bringing this to light. You’re one of my favorite UA-camrs
damn bro thats crazy, they only did a minor felony this time?
NTTS, you covered this so well!
* I don't feel sorry for the idiots that have a lot of money I guess.
They’re NFT bros, don’t 💀
What the guy above me said
What the guy above the guy above me said
What the guy above the guy above the guy above me said
What the guy above the guy above the guy above the guy above me said
I'm happy that I never fell for this scam because I got a lot of these DMs but I just ignored them.
i accidentally fell for one before like a month ago XD now im worried
@@tristanrhodes2789 change your password if you haven't already.
@@IllagerCaptain Yeah i did but that isnt the issue they have my account token not my password XD
Thanks for letting us know man, I hope you stay safe out there
Thank you for sharing this important information about the Discord NFT scam link. Your video is helping to educate and protect the community. Keep up the good work in raising awareness about these types of threats
my face when discord's website is vulnerable to the simplest Cross site scripting imaginable.
Your videos are getting better & better! I follow you since you had 50k subs. Great job!!
I found someone that’s been doing this to get people’s tokens and selling their tokens since the QR code scam, I’ve always thought this was possible but never had a sample to work with like you did, good job man!
Thank you NTTS for a birthday gift that is this video
A few years ago a security researcher found an XSS vulnerability in TweetDeck and used it to make the only self retweeting tweet.
As someone that is still learning web development, this stuff kinda scares me. My knowledge on network security as well as vulnerability detection is not that much yet.
Hey, I have been watching for a long while, and I only now just realized that I was never subscribed! Your videos have always been recommended to me :)
This is why you gotta set your CSP headers. Even if somebody messed up the actual code itself, a good CSP will stop it from actually doing any harm!
I'm pretty sure the reason they were embedding the script off UA-cam was because of the CSP. So no, CSP would not have stopped it
i didn't even know what this was called but as soon as i saw the html i knew exactly what was going on.
like no way did they let you just write html in a text description like that
That's like a fox guarding the henhouse
man, the last time I saw such a major and easy xss vulnerability was xss in tweetdeck 8 years ago. and that was just a self-retweeting tweet.
such incompetence.
Spectacular analysis. Thank you!
Fantastic video to inform us all about it but to be honest if you just stick to the rule of never clicking on any links before asking around or anything is the safest way to go
Do not let your curiosity or greed get the better of you as those are usually how you fall for any scams
Always ask yourself what could happen or simply why do I have to click on something someone sent me in dm which I have never spoken to before.
Always have a certain level of distrust as come on this is the internet unless you know them personally irl you should always that certain level of awareness as anything could happen such as even your best friend on internet for years could turn on you for personal benefits
Im gonna sleep very well tonight knowing that NFT are losing money again
And probably you are using NFTs in products without even knowing. But yeah, be stupid. And no, NFTs aren't JPG's.
@@user-ku9vx6uj4o AHAHAHAHAHAHAHAHAHAH
@@0xNe NFTs are used in cars from Alfa Romeo for example. NFTs are for metadata storage, and yeah, a lot of people (mostly scammers) use it to store a link to a image to sell it. But NFTs aren't images or something. This metadata can be anything and can be used for a lot of things (car maintenance info, keys to your car, event tickets, subscriptions, in-game characters or items, login info etc).
@@user-ku9vx6uj4o no shit, wheres ur prev comment? and where did i ask what are nfts? i know what they are, and I, in fact, know that people who bought into nfts are dumbest people in existence and most of them lost money, so every time they lose again, its a good news
@@user-ku9vx6uj4o ye i dont see yours too i only see the one from 1hour ago, others are only on notifs, we will argue some other day since theres no point if we cant see comments, have a nice day sir
Thanks for the information, Shared in my discord server
This happened to me. I got offered to be paid to "test" a service or something similar and be invited to a server. I just simply ignored those DMs. They were persistent and would try one or two more times, I still never clicked on them.
That cherry server really went through a lot of pain mainly thier owner🤣🤣🤣
Abee 👁 👁 😂
👄
@@twilighttales-kya bol raha hai bhai
The moment I hear "This was against NFT groups" I immediately agree with the exploiters
A friend of mine lost his account to this. Luckily we were able to recover it, but it was scary for a while there.
I've been using that new string type quite a bit lately. It's very useful.
i’m genuinely surprised this was overlooked, literally no validation checks or encoding on the html to make sure that scrips aren’t being executed.. it’s unsurprising coming from discord though
@@zydn it’s discord 😂 they always find a way to make something worse
@@zydn Yes that’s true when using JSX. But this exploit was done through the state management software. When someone loads the page it get exploited before the page even renders out html. If it was in the JSX it would have been sanitized
@@zydn React takes some steps to protect against simple xss attacks and html input vector rendering. displaying script tags, for instance, or other things. The exploit in this case is trickier than you might expect because it only guards against DOM-based XSS assaults, although XSS comes in a variety of forms. Having said that, data sanitization might have easily avoided this.
brainfart: could people theoretically spam the blueh and/or hawkemedia links with fake/random tokens via scripts to throw some sand in their gearbox? obviously not all from the same IP so it's not as easy for them to filter out. they'd have to figure out if the tokens they collected are actually valid, and i guess would be kinda pissed if 99% aren't lol 🤔
i remember when tweetdeck had a xss self retweeting tweet a long time ago. How so many people don't see this issue with their websites is crazy to me
To be honest, I'm not even suprised anymore that Discord has another exploit. If they fix one, someone will find another one 😅
This shows how little testing they have. If they'd had more testing, especially for such a simple webpage, this would have never made it to live.
Xss is very simple to prevent and, as many people have posted many times before, is very simple to escape a user's input.
Apparently Discord doesn't know/follow the "never trust user input" rule.
Also, with Discord being as big as it is, you'd think they'd do vulnerability testing that would have told them about this problem long before it got out of dev.
"Surprise penetration testing"
Sucks that it happened, but at least it was a bunch of crypto nerds and not actual human beings
That's a bit harsh. I don't even do crypto
I think what's crazy is that people are just now figuring out about this exploit which has actually been around for nearly 2 years now.
Also most of the people hijacking accounts are focusing on people with og or "leets" for username and account age so that they can keep it and or sell it. A "leet" would be a username like root#0001 for example.
Keep slaying no text to speech
SLAY QUEEN 💅💅💅💅💅💅💅💅💅💅
This is why it's a good idea to use Element instead, Discord just keeps on getting these weird instabilities.
that's for companies... just use guilded if you really dislike discord
(i don't use guilded it sux)
@@C00L3R Not really. It's like saying Slack is *just* for companies.
The only companies on Element in my vicinity is the company of the lads.
Also, with Guilded... Roblox Corporation. Enough said.
Plus, it's free (libre) and open source, which should be the norm for communications/chat apps.
This is why you don't click links. Even if it's from someone you think you know, try to engage them in a conversation (esp if you haven't heard from them in a minute); if they talk different than normal, you know
That with the worm is talked about with interview on darknet diarys
I really hope you get to be a discord mod. You do more than the discord staff at this point. PLEASE LET ME BE YOUR KITTEN 😳😳😳
what the hell
Took me a minute to get that reference
It is possible to do a lot of input sanitization, CORS policy changes and CSP changes to circumvent a lot of XSS, but in the end you probably won't get everything. Hackers will reverse a site and try to find a bypass to the filter you set in place. It isn't necessarily Discord's fault because it took hackers this long to discover it. It just goes to show that nothing you do as a security researcher and engineer will truly patch a vulnerability fully, but instead just makes it harder for a hacker to exploit it. Discord does have a bug bounty, but if crypto scams will yield more money than the reward money from the bug bounty, it makes more sense for hackers to exploit it rather than responsibly disclosing it.
this is a new feature that just came out with discord that got XSS'ed
@@JaivianDean Even then, reflected XSS is one of the least serious types of XSS. If it were to have been stored XSS, we would have had a huge problem (worse than this one). This still required a little social engineering and user interaction to pull off. Though that kinda makes sense, they should have probably checked for something like that before they pushed an update.
Like I said, the only way to stop this, is to deal with the hackers one on one. Trying to patch up a broken wall, to hide from them, is only delaying the inevitable, because they will ALWAYS find you. Sadly, everyone chooses to literally allow them to do these things.
@@Sopitive or just be smart, don’t click on those links, if you want do it in a incognito mode or a vm (though, this is not really practical)
Where's my "I love you bye bye!" 😭best part of your videos.
That’s really really bad. The fact that this is even a possibility in this day and age is insane
It wouldn't have been a thing in this day and age if we'd gotten rid of the hackers a long time ago. But we don't. We just keep gluing a cracked wall together with raisins and mud hoping that someone can't just bust it down and get to you.
these security exploits are really making guilded look like a feasible option
Guilded is owned by Roblox.
Don't move to an equally trash platform. Pick something open source, like Element or Signal
I can't believe that discord forgot about it! It's legit on the OWASP top 10 web app vulnerabilities. A lot of these big companies forget about web app security 101 and it's sad.
They outsource things like frontend to their diversity-hire tokens or to overseas workers entirely. Many major companies do it. It's why websites like UA-cam and Discord are getting progressively worse and worse from an interface perspective
Even I, someone who makes tiny Github websites with no actual security risks, patch XSS. How did Discord forget?
it’s insane discord never patched this, i literally used it in 5th grade to mess with my friends on websites they made
You should really look into being a security researcher, great work!
No Text To Speech should or the person who found it should? All they did was read the work of others so I don't see why a parrot should be a security researcher
I was around the hacking space when this vulnerability was found. My friend tested it on me and we thought it was a cool little gimmick but nothing worth using against anyone except enemies. That was 6 years ago I believe, if it’s really been this long and they haven’t patched it, that’s extremely sad. Honestly a low level exploit as well.
This is why I stay logged out in my browsers
really cool video!
can you tell me what explorer do you use? or what theme do you use to make it look that way?
i been trying to find a cool browser and yours is really cool.
im not a security engineer or anything, but didnt this exact same thing happen with Flash? Like this is one of the most simplest things to avoid.
Yes xss is literally thought in schools, that's how basic it is to do
What one could do in case of these dead ends mentioned in the video, it is always possible to look where the servers are hosted and what they are doing with them. ping, traceroute and nmap are your friends.
how is discord so shitty that there are 392829 ways to get a totally well protected and hidden token that can access your entire account
I actually had my Discord account stolen a while ago - after signing into what I thought was a Discord page. They changed my password (which is how I learned that the account was hijacked). They deleted everything, logged my account into a bunch of random servers, then game my account back.
When I contacted Discord, they told me that it was impossible for my account to have been stolen. After I got my account back (no help from Discord on this front, since they insisted that it wasn’t even possible), I asked them if they could tell me where my account was accessed from. I never got a reply back from them. I found out on my own, using Discords own tools, what countries (yes, more than one) my account had been accessed from between the time it was stolen and the time it was “returned”.
Whoa! Some classic XSS just became a 0-day on Discord. How unexpected! 😂
So glad I've been sick the last few days
Funny how I got a discord ad at the start
I'm wondering if that's what happened to me yesterday or something new, cuz someone else was on my account for a bit, but instead of sending links they went into a vc as me and yelled slurs.
that's crazy. well on the slightly bright side, at least it's fixed now...
Does Discord not have a blue team? It sounds like they don't from the presence of these scams and exploits.
Your discord token will automatically change within 6-8 hours I think or maybe 12. It doesn't stay the same forever. They can send automated requests using that. But they can't change your password or access the full discord account. Unless they know the Server ID, Channel ID in which they want to send the message in. So they would have that info probably of only one server in which you were with the guy that sent you the link.
Two wrongs in this message. Firstly, the Discord token does not expire until you change your password or change two-factor authentication settings. Secondly, you are able to access the full account, it's very simple to log into an account using the token. Don't spread false security tips, it helps no one
Wait, they hold the session token in the local storage? Did they made this with some random ass tutorial on the internet?
are those coloured tab groups a chrome plugin on is that a build in feature of chrome?
I like how they're just using a default nginx forbiden page like "damn this is so easy we dont even need to make it look like its not a scam!"
"Discord messed up server discovery" - i already thought about xss
You can use burp suite to check what it is doing in detail
the light mod thumbnail BRUHHH
literally 101 stuff at that level
When i saw the video title i thought: yeah do they actual do good things instead of hurting its users and platform like i have never seen that discord does something good
the thing is, how are you supposed to know theirs a volubility in something intill it gets found?
Wich Browser are you using? It Looks so cool with the rounded edges
how on earth do they not endlessly dom-purify the shit out of everything user generated?
What did you do to your firefox to make it look like that? the coloration of boxes and lines around the tabs to be specific.
He explained that a few videos earlier. İ don't remember which video was it
You can group tabs together
@@thelegendaryorb5745 Maybe in 2016... because they absolutely do not do that.
Stealing a Discord token is incredibly bad. If you lose the token and the recipient has any sort of scripting set up, you can expect to have the entire account stolen inside of 30 seconds.
I'd fallen for a phish where I was asked to test a game distributed over Itch. It stole my Discord token from my Discord desktop client, logged me out, and closed the client.
And despite having 2FA on my account, I was unable to log back in again, as the token thief managed to strip 2FA AND change the password AND change the email address on it. Without any sort of request for 2FA tokens from my phone or passwords.
I'd asked Discord support over Twitter for assistance, and they'd reverted the email address back to mine... but presumably the token never got reset or the token stealer was still running on my machine, because it was stolen and yanked away from me yet again.
And yes, I was a paying Nitro user with saved payment information. Thankfully, because I paid via PayPal, I was able to tell PayPal to never send any money toward Discord and saved myself ~US$150 of fraudulent purchases.
Why does the outro always catch me off guard?
Wow I was wondering all the warnings saying not to click links lmao
Sometimes, it's the implementation of XSS prevention which is vulnerable. There was evidence of existing XSS prevention in the audit that was made. Don't flame them too hard.
These vulnerabilities look as bad as the ones on the Roblox website lol
I was planning to use discord login built into opera gx to use alt account from the main program, but this seems like such a big security flaw now
There was a similar /script exploit on twitter a few years back, it wasn't malicious but it easily could have been
All it did was as soon as a tweet was loaded, it would automatically make you retweet the heart emoji and anyone who loaded that tweet would also do it
Thanks for the interesting video.
It's stupid that Discord did that, but it is also astounding that redux put the vulnerable code on their website, with only a comment in the snippet saying "hey check this link for security issues", instead of including the two function calls that make it safe. And then I wonder why Discord server side renders/ templates it in there in the first place, js can access the query param itself...
Truthfully as a developer I have to say that unfortunately I have had many less than competent colleagues, and combined with pressure and negligence from management that has lead to very similar and worse issues a number of times. These issues don't come out of nowhere.
i have used react for a while now. i have tested using script elements in text placed on the site. it never runs. how did discord mess up that bad? you have to specify it to render html in react