I Hacked a Discord Bot, the Owner said this...

Поділитися
Вставка
  • Опубліковано 21 лис 2024

КОМЕНТАРІ • 1,4 тис.

  • @NoTextToSpeech
    @NoTextToSpeech  11 місяців тому +3481

    1. Do not harass the bot developer. Yes, he didn't say thank you, but he did fix the issue quickly. Harassing someone because of poor manners aint the move.
    2. The vulnerability is patched, please stop asking me how to hack into captcha.bot. I will never make a video on a live vulnerability because some of you are rascals.
    and finally, I was told that people are asking other bot devs if their bot is safe and linking this video. That is perfect, that's the goal of these videos. Whether it's a one man team or a big company, people will exploit discord bots and use it to ruin people's communities or scam a bunch of people. And everyone getting a little scared of eva, and double checking the security of their bots, is going to make the community a better place. (Even if it means I have to burn my bridges with bot devs that disagree).

    • @NeedForSpeedRTX
      @NeedForSpeedRTX 11 місяців тому +4

      Oh

    • @RoyaleWind
      @RoyaleWind 11 місяців тому +35

      i hope he learned now atleast to not hardcode his id and to write a good api (there a propably still allot of vulnerabilities)

    • @iwasneverjoebiden
      @iwasneverjoebiden 11 місяців тому +6

      that's reasonable

    • @7heMech
      @7heMech 11 місяців тому +2

      Well, the video could still be a clue to another exploit, if such a dumb loophole existed, there are likely many more.

    • @bnanik
      @bnanik 11 місяців тому

      yes

  • @T_nology
    @T_nology 11 місяців тому +3157

    How are these bots so hilariously insecure? The fact everything could not only be done so easily but also all within the browser's DEVELOPER TOOLS is a huge problem.

    • @IanGaming101HD
      @IanGaming101HD 11 місяців тому +85

      @@VaultCord its the person who created the bot's fault, the website made for his bot has lots of vulnerabilties.

    • @bablela26
      @bablela26 11 місяців тому

      I finally understood why dumbasses politicians wanted at one point to block the inspect page... Wait, no they just are incredibly dumb and if they catch a glimpse of dev tools they will completely loose their mind lmao

    • @nocturnaldev8607
      @nocturnaldev8607 11 місяців тому +33

      ​@@VaultCordthey do, if only you cared to read the terms of service instead of blaming them for every goddamn thing

    • @Minecon724
      @Minecon724 11 місяців тому +3

      well you don't need any proven skills or any signed legal things to create a bot

    • @wiirlak8681
      @wiirlak8681 11 місяців тому +5

      @@VaultCordIt's the law to disclose data breah, bots' owner not following it (or the ToS) is not Discord fault - but Discord is at fault for not going after them after that through.

  • @QSABDO
    @QSABDO 11 місяців тому +4986

    this guy needs a lesson on how to properly protect his API endpoints... hilarious

    • @Neninho_
      @Neninho_ 11 місяців тому +210

      What do you mean? Checking the locally cached ID in the frontend with no proper backend verification is totally enough. /s

    • @masterman1502
      @masterman1502 11 місяців тому +28

      Their sourcemaps are still public, btw (the "Webpack" folder). Either theirs, or their payment/subscription processor

    • @giorgiotr
      @giorgiotr 11 місяців тому

      dark is an idiot

    • @TheRealKiRBEY
      @TheRealKiRBEY 11 місяців тому +15

      As a non coder whats an API?😊

    • @itznerdyfox7479
      @itznerdyfox7479 11 місяців тому

      ​@@TheRealKiRBEYme work wit someone else's application via my own code

  • @AquaQuokka
    @AquaQuokka 11 місяців тому +1518

    Having this little protection is shameful. There is a complete lack of basic security measures...

    • @toydotgame
      @toydotgame 11 місяців тому +35

      im literally not a web dev and seeing that js auth code immediately set off alarms

    • @kibbewater
      @kibbewater 11 місяців тому +7

      ​@@toydotgame so if you are not a web dev, don't comment on the matter, authorization headers are completely fine and pretty standard for many applications

    • @Omega-mr1jg
      @Omega-mr1jg 11 місяців тому +27

      ​@@kibbewaterwhat. for an app like this? Okay

    • @bennybouken
      @bennybouken 11 місяців тому +10

      ​@@kibbewater💀

    • @kibbewater
      @kibbewater 11 місяців тому +15

      @@Omega-mr1jg The Auth headers were not the problem, lack of handling them correctly was.

  • @kuuravr
    @kuuravr 11 місяців тому +675

    All those recent exploits discovered in bots is why I keep stressing to people to properly setup their servers and not blindly give bots permissions they don't need.
    Thank you for bringing light to these exploits, hopefully this pushes people to stop blindly trusting bots and for devs to be more careful with security

    • @GoldbergToastyBred
      @GoldbergToastyBred 11 місяців тому +8

      ye like who puts checks, security, etc in front-end?

    • @Liggliluff
      @Liggliluff 11 місяців тому +6

      I had a server where bots have different functions, but these bots only had access to the channels they should have access to. For example, no access to #general or #moderation.

    • @kuuravr
      @kuuravr 11 місяців тому +4

      ​​@@LiggliluffThat's pretty much how I do it, if it doesn't need to view a specific channel then it's restricted from it, if it only needs to read and not talk it won't have send message permission except for logs channels, etc

    • @ItzPubby
      @ItzPubby 11 місяців тому +1

      #1 advice i can give. Don't use bots. Bots are fully automated without human input when it comes to authentication. The best security you can do, is have active HUMAN staff members in your servers. I get the appeal for bots, but if you bringing them in from a third party, you are literally relinquishing control to someone you dont know if you can trust or not. Weither if the properly took the percautions. So, set up your discord and manage it yourself.

    • @kuuravr
      @kuuravr 11 місяців тому +5

      ​@@ItzPubby I wouldn't say that's a good advice, bots are helpful when used right especially when you have a large server or want to setup something specific, the issue is people are too lazy to set up bot properly and just gives it admin so it does its job, they don't organize their server roles properly, they don't disable bot features they don't need and don't restrict the bot accesses to what it doesn't need, they don't know how to look for the signs that a bot isn't made properly (such as its invite auth link requesting admin perms in any capacity).
      Sure if you're running a small server you probably don't need a bot, but they're a good tool and people needs to know better when using said tool.

  • @4lokas
    @4lokas 11 місяців тому +920

    As a Cybersecurity Student, that was the shitiest security that I have ever seen in my whole life 💀

    • @turtleparty7241
      @turtleparty7241 11 місяців тому +28

      that means you haven't been in cybersecurity for very long (no offense)

    • @distorted_heavy
      @distorted_heavy 11 місяців тому +190

      @@turtleparty7241 bro doesn't know how school works

    • @4lokas
      @4lokas 11 місяців тому

      @@turtleparty7241 A year and learning (yes, its not too long imo, doing hackthebox machines rn)

    • @drm.himself
      @drm.himself 11 місяців тому

      ​@@turtleparty7241 He said he was a student 🤨

    • @Goovdluck687
      @Goovdluck687 10 місяців тому

      ​@@turtleparty7241 so someone can easily hack into a bot by using F1 and it's not the shitiest security?

  • @lebleathan
    @lebleathan 11 місяців тому +1226

    As a full-stack developer I can confirm that this is so amateur and unprofessional, no-one should trust a single product from this developer EVER. Remove captcha bot from your servers rn.

    • @GoldbergToastyBred
      @GoldbergToastyBred 11 місяців тому +14

      hecker

    • @Dultus
      @Dultus 11 місяців тому +70

      That's what happens when you just throw everything to the front end. x)

    • @Lampe2020
      @Lampe2020 11 місяців тому +36

      Verification etc. should be done on the backend and be a little more secure than just sending _any_ auth header. It should verify the auth header that it's actually the owner and probably a lot more.
      I even have such a login on my website, but you need the right password and username to get logged in and _then_ it just sees "Logged in? Okay, here's your perms!", because I am the only user account there. And eventually I'll replace that with a third-party OAuth login instead of an own one.

    • @tabletopjam4894
      @tabletopjam4894 11 місяців тому +9

      this is what happens when someone spends too much time in js land lol

    • @WindowsDaily
      @WindowsDaily 11 місяців тому +3

      I can't even tell how it'd make it any easier. They clearly know the account to give the server to, so all they have to do is put the if (user is not me) check in there. Sure it can be put in the client side too, but just one line in the server side would have been enough to stop it.

  • @sluuuudge
    @sluuuudge 11 місяців тому +204

    As someone who has dabbled with a bit of bot development here and there on Discord, I have seen so many examples of other developers who think they're too good and too big to acknowledge other people around them - especially when it's criticism or feedback. Not surprised at all that Dark ignored your DM and I can guarantee that had you sent it from your NTTS account he 100% only then would've bothered replying.

  • @Gandalf_Potter00
    @Gandalf_Potter00 11 місяців тому +228

    I'm not surprised that Dark was unresponsive after you basically saved his bot from destruction and chaos. Every interaction I've had with him (through the Arcane server), he has been cold and narcissistic. I don't know if that's how he actually is IRL, or if he gets a lot of messages per day and can't keep up with them, but he does not seem like a very good person in my opinion. I am glad that he fixed this huge vulnerability, and I can pretty much guarantee that any mention of this in any of the servers he owns will be met with a timeout or something of that sort. I mentioned the word "bot" in the Arcane server and got muted for 5 minutes for "advertising" as he told me.

    • @verytuffcat
      @verytuffcat 11 місяців тому +21

      almost every large bot dev is narcissistic tbh

    • @Gandalf_Potter00
      @Gandalf_Potter00 11 місяців тому +31

      @@verytuffcat Dark is the only bot developer I have ever directly interacted with, so I can't speak much on that, but I wouldn't be surprised if the reason they seem cold is because they just get an onslaught of friend requests and DM requests. I would imagine it would be stressful to have to deal with all of that. I'm not excusing Dark's actions as he could have at least said thank you, but there might be multiple reasons why he didn't respond other than he's a duchebag. I still think he could be nicer though.

    • @radiatedcherry
      @radiatedcherry 11 місяців тому

      its very easy to turn off those friend request and dms stuff its just their incompetance@@Gandalf_Potter00

    • @GlacialBolt
      @GlacialBolt 11 місяців тому

      ⁠@@Gandalf_Potter00influencers and developers get insane dms and friend requests all the time lol, but not all of them are narcissistic. these type of people are just inherently like that, and the fame is just feeding it

    • @verytuffcat
      @verytuffcat 11 місяців тому +3

      @@Gandalf_Potter00 yeah

  • @7heMech
    @7heMech 11 місяців тому +631

    Absolutely disgusting move by the bot owner.

    • @zikohaha7440
      @zikohaha7440 11 місяців тому +11

      Shut UP !!!!!!!! 😍😍😍😍🥰🤩🤩🤩

    • @Craosien
      @Craosien 11 місяців тому

      ​@@zikohaha7440npc

    • @BroggoYT
      @BroggoYT 11 місяців тому

      @@zikohaha7440 you shut up

    • @redixroblox.
      @redixroblox. 11 місяців тому +78

      @@zikohaha7440 no

    • @hmhm-g6f
      @hmhm-g6f 11 місяців тому +1

      Thats messed up

  • @rryangosling
    @rryangosling 11 місяців тому +275

    xyzeva causally finding vulnerability in security bots 💀

    • @chevvvv
      @chevvvv 11 місяців тому +15

      sometimes I want people like that to point what's wrong with my stuff out, just to make them a little bit better

    • @fuyuv_
      @fuyuv_ 11 місяців тому

      @@chevvvv thats what beta releases, etc. are for

    • @Buttersaemmel
      @Buttersaemmel 11 місяців тому

      @@chevvvv and then there are those companies that sue you for letting them know, even if you just accidentially stumbled upon it...

    • @unearthlynarratives_
      @unearthlynarratives_ 11 місяців тому +8

      It's a very amateur mistake so I wouldn't credit too much here, this should have never worked had this been done by someone with more than 1 year of experience.

    • @schrenjaminsstift92
      @schrenjaminsstift92 11 місяців тому

      ​@@unearthlynarratives_even somelne with 1 month of wxperience shoudn't make this mistake. As soon as you know that anyone can send stuff to your server, you should see how this is shitty security

  • @thedonutone
    @thedonutone 11 місяців тому +28

    Some servers really are set up horribly, one time, I saw a server where for some reason the owner role, with all perms, was under the member role, which everyone has, and also has perms to manage roles, so if literally anyone looked at the roles, which the member role also has perms for, they could've easily just given themselves owner and destroyed the entire server before the real owner got on.

  • @RealTheonFrFr
    @RealTheonFrFr 11 місяців тому +220

    "am be so so wuh a bo" such wise words from the owner...

    • @Mightype
      @Mightype 11 місяців тому +11

      It’s something about the word sussy Baka but in reverse

    • @mohabtameregyptgamer8902
      @mohabtameregyptgamer8902 11 місяців тому +7

      I reversed it and it said amongus sussy baka not kidding reverse the video and you can hear it too

    • @Gnarpy-c3x
      @Gnarpy-c3x 11 місяців тому +5

      @@Mightypehe said “among us Sussy balls” Lmaooooo 💀💀💀

    • @BlueYT592
      @BlueYT592 11 місяців тому

      Whice goat will be the next to be my subcriber🤔

    • @shrimpaerospace
      @shrimpaerospace 10 місяців тому

      @@BlueYT592 Well i'm not a goat. Maybe the next guy

  • @PandaMasik
    @PandaMasik 11 місяців тому +154

    We would be doomed if NTTS started his villain arc.

    • @YeetDisDude
      @YeetDisDude 11 місяців тому

      too bad he cant cause all he knows is how to get spoonfed by women

    • @norwegiansmores811
      @norwegiansmores811 11 місяців тому +18

      yes. and it does not help that he gets treated like shit (ignored) when helping people.

    • @Black_kot_original
      @Black_kot_original 10 місяців тому +2

      he's gonna start it someday, if he gonna keep being treated like shit

    • @ZillMohammed-y1d
      @ZillMohammed-y1d 5 місяців тому +9

      Xyzeva is gonna be his side kick for sure

    • @K0ra_st4r
      @K0ra_st4r 5 місяців тому +1

      he would be the one who ruins every discord sever ever

  • @ectothermic
    @ectothermic 11 місяців тому +64

    I don't think I could've resisted the intrusive thoughts tbh. Good on you, dude lol.

    • @identifydelaymc3873
      @identifydelaymc3873 11 місяців тому +2

      xyzeva is a developer on a server Im an admin on lmao

    • @liquidmagma0
      @liquidmagma0 11 місяців тому +3

      i mean you could have harmless fun, right? don't have to go destructive.

    • @erikkonstas
      @erikkonstas 11 місяців тому +6

      It's people like you who are the reason why problems are only made public after they're fixed...

    • @ectothermic
      @ectothermic 11 місяців тому +14

      @@erikkonstas it's a joke not a dick, don't take it so hard.

    • @erikkonstas
      @erikkonstas 11 місяців тому +1

      @@ectothermic Literally nobody thinks you're joking tho.

  • @thehansboi
    @thehansboi 11 місяців тому +83

    these recent vulnerability videos have really given me insight on how even the biggest bots can be taken advantage of

    • @erikkonstas
      @erikkonstas 11 місяців тому

      LOL forget about bots, or even Discord, try to search how many vulnerabilities people have discovered in the major cloud computing providers (AWS, Azure, etc.).

    • @ItzPubby
      @ItzPubby 11 місяців тому +1

      Take active steps to protect yourself, you cant let other people do it for you. If you want the server safe and to have these types of security you need to go through and do it properly. the best thing you can do, is be as secure as you can from your end.

    • @erikkonstas
      @erikkonstas 11 місяців тому

      @@ItzPubby Do you know what you're saying... thing is, bots like Captcha bot have already constructed databases which can help find alts; this is not something you can just "acquire".

    • @verytuffcat
      @verytuffcat 11 місяців тому

      ​@@erikkonstasi honestly wonder how it works tho. can you explain

    • @erikkonstas
      @erikkonstas 11 місяців тому

      @@verytuffcat So basically the thing stores a number of IP addresses and other characteristics pertaining to a number of "devices" for every Discord account that goes through it, so if another account shares anything in common it is considered to be a possible alt. Yes, it can have false negatives (e.g. the person changes their public IP address) and false positives (e.g. the person is on a public Wi-Fi).

  • @Gotham-guardian-pls7t
    @Gotham-guardian-pls7t 11 місяців тому +230

    This is the reason I like to troll the help pages on Dark's Discord server. It makes him waste his time on stupid things that takes his precious time off. I feel no remorse for Dark whatsoever

    • @epicstar86
      @epicstar86 11 місяців тому +20

      Big W

    • @billyhatcher643
      @billyhatcher643 11 місяців тому

      Glad I never heard of this dumbass bot

    • @_tr11
      @_tr11 11 місяців тому +2

      lol

    • @Saymon-t2q
      @Saymon-t2q 11 місяців тому

      Did he just hack it for fun?

    • @KaiDevvy
      @KaiDevvy 11 місяців тому +6

      Am I misunderstanding? All the dude did was not reply to him. Why harass him?

  • @ashmaniacal
    @ashmaniacal 11 місяців тому +123

    Once again, thank you for keeping us safe on Discord, NTTS!
    Shame Discord don't have an employee to do this.

    • @HeadlessStar
      @HeadlessStar 11 місяців тому +4

      npc

    • @ashmaniacal
      @ashmaniacal 11 місяців тому +6

      You're an Npc @@HeadlessStar 😂😝

    • @SilenceBot
      @SilenceBot 11 місяців тому +8

      ​@@HeadlessStaryou have become the very thing you have set out to destroy!!

    • @HeadlessStar
      @HeadlessStar 11 місяців тому

      npc activity@@SilenceBot

    • @ZickZenniYT
      @ZickZenniYT 11 місяців тому

      @@HeadlessStar *bot activity

  • @RavDeBest
    @RavDeBest 11 місяців тому +36

    That is the most pathetic thing I ever seen, like imagine ghosting the guy that help you find a security problem in your code, like imagine this happened again. I'm sure NTTS knows this abt stuff or he knows someone knows this stuff, imagine being so egoistical and risking ur career

    • @sal_strazzullo
      @sal_strazzullo 9 місяців тому +1

      Can't say for sure he ghosted him, he only gave him one day to reply. When my dms are full it takes me two weeks to read and reply to them on average

  • @Sunnyon163
    @Sunnyon163 11 місяців тому +8

    okay so heres the thing, firstly a super big thank you for makeing those videos secondly i get that the dev might have had a bigger thing to work on than responding to you when they first saw it and im happy they did fix it so fast but a "hey we fixed it thanks for saveing our butt here" wouldve been nice

  • @lollolcheese123
    @lollolcheese123 11 місяців тому +30

    You can always go the middle route: Sell the vulnerabilty but also tell the owner about it

    • @seawinn
      @seawinn 11 місяців тому

      that's big brain time

    • @tyx168
      @tyx168 11 місяців тому +6

      i wouldnt even bother telling him about this, i would just look how his bot gets destroyed. he's such a looser for not even answering

    • @wanderingpalace
      @wanderingpalace 11 місяців тому +2

      just sell the vulnerability to him for 1000 dollars

    • @Yezpahr
      @Yezpahr 3 місяці тому

      Selling it to an interested party and having the vulnerability be patched before they use it will raise eyebrows and may be answered with lead or certain types of salts. You'll also never sell something like that again because your name becomes dirt, for both parties.
      It's a sure way to shoot your own foot off and risk losing family/job or life insurance.

    • @lollolcheese123
      @lollolcheese123 3 місяці тому

      @@Yezpahr Can't be attacked if nobody knows who you are ¯\_(ツ)_/¯

  • @genericname3685
    @genericname3685 11 місяців тому +26

    This shows us very well how life slaps you across the face for just being nice and the least they could've done is a thank you, but apparently thats too much for some people.

  • @ur1zenAE
    @ur1zenAE 11 місяців тому +16

    NTTS Started his own villain arc confirmed 100%

  • @Pokamechibre
    @Pokamechibre 11 місяців тому +157

    To be ethical or not to be. As soon as you have a good intention, you literally get shit on by life. Honestly, you shouldn't have given away the exploit without getting a response from him, or a bug-finding contract. This kind of vulnerability should have been rewarded. If I made a bot and such a vulnerability was discovered, not only would I thank the user who found it and didn't abuse it, but I'd also try to pay for it or give away premium benefits.
    What a rat.
    Translated because i'm not ca or us, just a baguette.

    • @nwerd7584
      @nwerd7584 11 місяців тому +12

      I think NTTS makes a good amount of video legally through YT. Probably why he leaves this stuff for other people to make the choice. But not responding doesn't sound like they tend to pay bug bounties. a good team would have probably offered it.

    • @Buttersaemmel
      @Buttersaemmel 11 місяців тому +14

      even ignoring ethics this is just stupid.
      if you know you get paid out and don't need to fear legal actions if you point out vulnerabilities, you'll probably do it.
      but if you know you will just be ignored but could instead exploit it to make some money, a lot of people wont care about ethics and decide to exploit.
      it's just proof for anybody that you'll gain much more from exploiting his products.
      that's just stupid and for all of his customers you can just hope that no bad actor is going to find something.

    • @microondasradioativo
      @microondasradioativo 11 місяців тому +1

      P sure the owner doesn't care to fix it and knowingly just lets that be possible

    • @parapetcloud
      @parapetcloud 11 місяців тому +7

      ​@@microondasradioativoit's best not to attribute to malice, that which can reasonably be attributed to being a complete dumbass.

    • @microondasradioativo
      @microondasradioativo 11 місяців тому

      @@parapetcloud if he's a dumbass then he'll learn the hard way

  • @justamanofculture12
    @justamanofculture12 3 місяці тому +2

    My years of development experience in Web Applications taught me how terrible web app security system design are. So many developers just focus on finishing the app instead of protecting it from vulnerabilities and implementing some good tier security precautions. There's a world after sign-in page but sadly most developers dont care about that 😢............

  • @RetoonHD
    @RetoonHD 11 місяців тому +9

    At this point, bad security by discord bot devs doesn't surprise me anymore. The bar to making a bot is so goddamn low that incompetent people make bots that get too popular for their own good.

  • @DarkSansTV
    @DarkSansTV 11 місяців тому +4

    this is epic, guilded is finally getting the attention is really needs, this is poggers

  • @laggingfr
    @laggingfr 11 місяців тому +5

    NTTS you giving here a good example of people who doesn't give a shit about safty, you did your thing and i proud of you its his problem

  • @7heMech
    @7heMech 11 місяців тому +30

    This escalated so quickly.

  • @rocco.uploads
    @rocco.uploads 7 днів тому

    Incredibly informative. As an indie dev who's also a cyber security freak and borderline paranoid this was such an interesting video, I always knew role order was important but I didn't also necessarily know it could act like an escalation hierarchy... I LITERALLY paused at 6:41 JUST to go update my server's roll order 🤣🤣
    Thanks as always NTTS, keep up the great pen testing and the great work 🔥💥💥

  • @Cybreak
    @Cybreak 11 місяців тому +126

    im starting to think eva is an AI, they have found ways to do this with so many bots lmao

    • @cylan6914
      @cylan6914 11 місяців тому +1

      Obviously she is, girls are not real

    • @skylarkblue1
      @skylarkblue1 11 місяців тому +31

      AI's pretty awful at cyber security. No, this is just a decent amount of time having fun pentesting lol

    • @kacperkonieczny7333
      @kacperkonieczny7333 11 місяців тому +1

      NULL

    • @user-to7ds6sc3p
      @user-to7ds6sc3p 11 місяців тому +20

      She does hobby pentesting according to her homepage. And her git shows activity in regards to malware/pentesting and most importantly silly block game.

    • @_tr11
      @_tr11 11 місяців тому

      @@kacperkonieczny7333 undefined

  • @WannabeFemboyYT
    @WannabeFemboyYT 8 місяців тому +2

    I just finished watching this video, and decided to check a few of the bots I have used on servers I own/co-own, including paid, free, and trial bots. It takes a bit longer than this, but some very popular bots(not gonna name them) have some major issues very similar to this one. I tested a method on a server I am friends with the owner on and managed to(after creating a backup server so people wouldn't lose everything) completely wipe the server in the span of 8 minutes. People really need to hire some kind of white-hat to double check that things aren't as hilariously undefended as this was.

  • @Eflaene
    @Eflaene 11 місяців тому +3

    So now NTTS teamed up with hacker-cat-girl pfp and we're getting more videos like this ? love it

  • @leikoo.
    @leikoo. Місяць тому

    Good for you for making this issue recognized instead of doing evil with it! :D

  • @souls4781
    @souls4781 11 місяців тому +6

    Disgusting behavior. A ‘thank you’ from his response would’ve really shown that he at least cared a bit. Sometimes it just doesn’t pay to have morals. I would have made an airdrop in an NFT server then have drained their wallets.

  • @Pachi_Fuda
    @Pachi_Fuda 11 місяців тому +12

    Eva and no text to speech are really helping people on this. the hero's we need.

  • @kipchickensout
    @kipchickensout 11 місяців тому +25

    don't worry, if he was that careless and clueless about security on that matter, he probably has a lot of other holes to patch

  • @Baburun-Sama
    @Baburun-Sama 11 місяців тому +1

    Security Problems in Discord Bots? You're... the One Legend.

  • @Zandersoneditz
    @Zandersoneditz 11 місяців тому +10

    0:04 says
    "Among us sussy ba-"

  • @mauron55
    @mauron55 11 місяців тому +2

    6 seconds into the video and I have to pause to replay it, I was not prepared for this start.

  • @nanopi
    @nanopi 11 місяців тому +5

    no announcement could mean some servers don't notice the bot handing out the wrong roles for a little while

  • @lightrealmrapono
    @lightrealmrapono 11 місяців тому +1

    Seeing this makes me glad that I went through the trouble of attaching this one bots permissions to each relevant Channel instead of giving it the blanket permission.

  • @blacklight683
    @blacklight683 4 місяці тому +6

    "Wait a sec you're not the owner.."
    "Yes i am"
    "Come in!"

  • @MDW-wu6ey
    @MDW-wu6ey 4 місяці тому +1

    5:18 YOU HELPED ME FROM THAT UTTER GARBAGE HACK!! TYSM

  • @stoteam8748
    @stoteam8748 11 місяців тому +8

    crazy how this guy doesn't even protect his api endpoints

  • @JiříDanielŠuster
    @JiříDanielŠuster 11 місяців тому +1

    I LOVE THIS. I can spend hours finding vulnerabilities or bypasses like this :). I wish I could do this as a full time job

  • @rainbowspongebob
    @rainbowspongebob 11 місяців тому +3

    Bro went from making videos about discord news to becoming a hacker, well I wasn’t expecting that

  • @md.riyasathossain590
    @md.riyasathossain590 11 місяців тому +1

    Bruh, you can definitely protect Vue routes in other ways! And also there should always be an API level securities e.g. protected endpoints based on roles, not by user ID even! Anyways, we need more ethical volunteers to check for stupid vulnerabilities like this... All developers are human beings, they can definitely make mistakes, it's not a thing to feel shy about. Therefore, let's put our hands together to fight the criminals who actually takes advantage of these mistakes... Thanks to NTTS for this awareness video!

    • @sattlerdevelopment
      @sattlerdevelopment 11 місяців тому +1

      I wouldnt do it by role ids since someone could exploid the support server and give itself the roles or any other way I would always do it by user ids

    • @md.riyasathossain590
      @md.riyasathossain590 10 місяців тому

      @@sattlerdevelopment Yes, truly it can be a secure option if you can sanitize website's input cases. Even with user ID, you can add better defences for this kind of XSS attacks. You can add some sort of Server authentications and stuffs (as I noticed the website only authorised the "hacker" by what it sees from the browser's perspective, meaning it's an exploit that can completely be done from the frontend). You can also add Public IP address checking (i think) to notify the developer that an unknown device is trying to connect to the admin portal...or smth like that idk. Either way, there are a lots of measures you can take. (Thanks for the callback, I just didn't think of that exploit.)

    • @iamerror1699
      @iamerror1699 5 місяців тому

      Why? They ghost you, so why?

  • @techwhipped
    @techwhipped 11 місяців тому +3

    This also brings to to the question how many other captcha bots are affected by this same exploit.

    • @_tr11
      @_tr11 11 місяців тому

      it's something very well-known, i think this bot's dev is just dumb

    • @erikkonstas
      @erikkonstas 11 місяців тому +1

      I'm sure you can find another one in the channel... 😂

  • @paintden
    @paintden 11 місяців тому

    Man, you are a real hero! This made me so proud and insipred. Well done bro.

  • @TezlaGrey
    @TezlaGrey 11 місяців тому +12

    Can you cover the new mobile layout and how to revert to the old layout? It's absolute ass and makes me happy to be legally blind

    • @TorutheRedFox
      @TorutheRedFox 11 місяців тому +1

      trick is to downgrade to earlier version, disable it there, update back and never update again without confirmation that it still exists

    • @chaos9790
      @chaos9790 11 місяців тому

      done

    • @sal_strazzullo
      @sal_strazzullo 9 місяців тому

      I like the switching between severs and dms, but I absolutely hate the new search and how I can't just type from:someone without it trying to do some Google type of stuff

  • @angelaodonnell8407
    @angelaodonnell8407 11 місяців тому +2

    0:04 the reversed voice says, "Among us sussy ball-"

  • @Zencep
    @Zencep 11 місяців тому +4

    I…might have to see if I can hire Eva to do a vulnerability check on a project at some point…

  • @Missing_text15
    @Missing_text15 5 місяців тому +1

    This man is an inspect element wizard, and my role model for inspect element.

  • @joshinglyyy
    @joshinglyyy 11 місяців тому +6

    This is why I don't trust security bots.

  • @CookieKingHamber
    @CookieKingHamber 10 місяців тому +2

    6:30 bro was about to go on his villian arc 💀💀💀

  • @Pengal25
    @Pengal25 11 місяців тому +8

    The amount of trolling that will be done is devastating

    • @thewitchidolsachika6682
      @thewitchidolsachika6682 11 місяців тому +1

      The exploit is fixed. The trolling can only happen if something like this is leaked again.

    • @Pengal25
      @Pengal25 11 місяців тому +12

      @@thewitchidolsachika6682 rules of the universe: 1. Trolling will happen 2. If the trolling is stopped, it can happen again

    • @nwerd7584
      @nwerd7584 11 місяців тому

      @@thewitchidolsachika6682 in discord the only updates shown in the video is they moved around the roles, theoretically if someones already in they could change it back. Unless NTTS didn't show what was further changed.

  • @PawsIsHere
    @PawsIsHere 8 місяців тому +1

    I did this on my friends 4 months ago a month before u uploaded this, And they laughed so hard they told everyone. thats how this vid was made.

  • @F.B.I_A.F.M
    @F.B.I_A.F.M 10 місяців тому +6

    Welp time to raid some Discord servers. 💀

  • @Doodle128
    @Doodle128 11 місяців тому +2

    I wonder if most bots have this exact issue with a similar result after making it think you're the owner and some devs are just too lazy to patch it if they hear about it.

  • @SheIITear
    @SheIITear 11 місяців тому +3

    To anyone wondering, similar bots exist on whatsapp too. Those bots have a lot more serious vulnerabilities tho (i.e RCE on host machine).

    • @_tr11
      @_tr11 11 місяців тому

      I use WhatsApp, and I think it doesn't have bots unless you are a business and verify it

    • @SheIITear
      @SheIITear 11 місяців тому

      @@_tr11 unofficial libraries exists.

  • @BubblesWaffle
    @BubblesWaffle 11 місяців тому +2

    this seems very legal and not abusive at all, ur a pro white hat hacker man fr !!!!!!!

    • @bilinasmini3480
      @bilinasmini3480 11 місяців тому +1

      Make a video now explaining why the public dislikes the updated mobile interface.

  • @theenigmascribe
    @theenigmascribe 11 місяців тому +3

    Waiting for NTTS's video on the new discord update with the interface

  • @SeifuTheSigma
    @SeifuTheSigma 5 місяців тому +1

    NTTS could at any moment become discords biggest and most notorious hacker yet he chooses to be a white hat hacker.
    I tip my hat to you

  • @tagKnife
    @tagKnife 11 місяців тому +5

    As a Developer, hacker, consultant.
    You would be suprised at how many of these APIs are vulnrable to this exact issue. To many developers think that frontend verification is secure. Completely ignoring anyone could send requests directly to the API.
    And tbh, 99% of these issues come from Javascript developers. They have no idea about secure backend programming.
    Discord had the exact same vulnrability in their APIs, last year people discovered a new API for model popups, it was completely undocumented and wasnt supposed to be public, but even discord doesnt put propper authentication on their APIs.

    • @Sammysapphira
      @Sammysapphira 11 місяців тому

      It's certainly a js issue. Tons of js frameworks bake back end into the front end like react and nextjs. There's a level of abstraction that non system engineers can't really understand because they think they're writing back end code but it's actually running on the client. It's like giving them a notepad with all your passwords to everyone who visits your website.

  • @Funtime3Freddy3
    @Funtime3Freddy3 11 місяців тому +1

    The only solution in my opinion, is making a private owner panel and move the api /guilded there. The owner panel and it's api endpoint will be connected to the database locally and they could add a login check with the owner's discord account. Trust me, I've done this for a website I own and it's a very good security. Like, who'll try to come at your house, try to guess your pc's password/pin or whatever you have, find the hidden owner panel and try to get in with your discord account?

    • @GoldbergToastyBred
      @GoldbergToastyBred 11 місяців тому +1

      ? just store verification check code in back-end (server-side)

    • @erikkonstas
      @erikkonstas 11 місяців тому

      I think you meant "/debug", not "/guilded", but a simple auth flow ought to be enough (what we saw in the video was Dark putting it "where nobody will go looking for it", a "very good" "alternative"!!! 😂).

  • @jacetang9552
    @jacetang9552 6 місяців тому +142

    A hacking tutorial 💀

    • @UrMom8MyAss
      @UrMom8MyAss 5 місяців тому

      Fr 💀

    • @_DarkPlays
      @_DarkPlays 5 місяців тому +13

      Not really since the video was uploaded after it was patched

    • @Nerd-_-emoji-t3w
      @Nerd-_-emoji-t3w 4 місяці тому +2

      @@_DarkPlays YEAH!!!!!!

    • @Samdude12
      @Samdude12 3 місяці тому +1

      Crazy

    • @Hnxzxvr
      @Hnxzxvr 2 місяці тому +3

      No cuz people have fixed API endpoints this guy just didn’t think that anyone would try this or know how but it’s fixed now

  • @lateworm
    @lateworm 11 місяців тому +2

    yup. this is why I always set up bots below mods/andmins and above janitors. bots can only be trusted to delete messages and give roles that have no real perms under them.

  • @roxlife8173
    @roxlife8173 11 місяців тому +3

    This escalated quickly.

  • @XnSizerYT
    @XnSizerYT 2 місяці тому

    8:41 “Pookiemane please return my calls” made me rolling on the floor😂

  • @ErrorAnimator687
    @ErrorAnimator687 11 місяців тому +3

    "But when i told the owner he said obby sussy mama"

  • @Rychuxd
    @Rychuxd 5 місяців тому

    I love this guy teaches about cybersecurity whilst entertaining w

  • @lightning_11
    @lightning_11 11 місяців тому +3

    Why does everyone do authentication _client side?!_ Like, seriously, that's the oldest mistake in the book!

  • @antiwolfer8691
    @antiwolfer8691 7 місяців тому +1

    i just want you to know that if I was in your position, I would be an absolute menace but I appreciate your ethics even if they don't reflect my personal views

  • @ProshipAshton
    @ProshipAshton 11 місяців тому +4

    he said “among us sussy baka” at 0:05

  • @Johncw87
    @Johncw87 5 місяців тому

    In my experience, frontend developers don't seem to understand security. I once saw a frontend developer generate jwt tokens on the frontend, which means the secret had to be in the frontend, which means the secret isn't a secret anymore, which means no security. Might as well just create a big button labeled "hack me"

  • @beastnighttv
    @beastnighttv 11 місяців тому +4

    1:51 VOOO 😂😂 its pronounced "view"

  • @metalspoon69
    @metalspoon69 11 місяців тому

    This is like multiple cardinal sins:
    1: pushing debug tools to production
    2: CLIENT SIDE VERIFICATION (????)
    3: UNPROTECTED ENDPOINT (????????????)

  • @codeguy11
    @codeguy11 11 місяців тому +15

    1:52 OMFG He pronounced "Vue" incorrectly, as a web developer I'M OFFENDED 😭😭

  • @PhoebeNureeka
    @PhoebeNureeka 3 місяці тому

    this video was packed with information, yet so easy to follow!

  • @17ashishemmanuel
    @17ashishemmanuel 11 місяців тому +6

    It's pronounced as VIEW NOT VUUUU I'M DYING

  • @nero3700
    @nero3700 11 місяців тому

    Damn, that's a real bad one. There must be other giant holes in this dev's projects...
    Understandable for a "got-out-of-hand" FOSS project, less so for a commercial product with paying users.

  • @tamerjustine
    @tamerjustine 11 місяців тому +5

    NTTS, idk if you still read comments, but are you aware how discord is forcing mobile users to use new ui
    To explain, now if you change the ui, you CANNOT change back to old ui (im forever stuck in new ui purgatory. Send Help)

  • @boxYT1
    @boxYT1 11 місяців тому +1

    just imagine this man going to his villain arc, it won't be pretty...

  • @Jakkilip
    @Jakkilip 11 місяців тому +12

    I can't believe the owner said the N word

  • @ihavenoideawhatimdoing23
    @ihavenoideawhatimdoing23 4 місяці тому +1

    "but when i told the owner he said"
    "ab yssus sugoma"

  • @gorilla8275
    @gorilla8275 7 місяців тому +14

    Hi (make this famous) Edit : OMG THANKS GUYS THIS IS THE MOST LIKES I EVER HAVE

    • @-cottoncandy-
      @-cottoncandy- 6 місяців тому +1

      i will try

    • @swiftkumar
      @swiftkumar 4 місяці тому

      Please shut up

    • @samned.
      @samned. 4 місяці тому

      bro it got 10 likes💀

    • @Jirahs57
      @Jirahs57 4 місяці тому

      Prepare thyself

  • @retrogamerfoxxie
    @retrogamerfoxxie 11 місяців тому +1

    Eva seems to be really good when it comes to Discord. Seems to be in a lot of vids now

  • @swaglikehoooo2111
    @swaglikehoooo2111 3 місяці тому +4

    7:28 whats that nameee

  • @xvirtualgamer8468
    @xvirtualgamer8468 11 місяців тому +1

    the funny thing is the ad before this video (for me) was the advertise for a discord nuking bot lol

    • @erikkonstas
      @erikkonstas 11 місяців тому

      And here we, yet again, enter the topic of UA-cam literally letting anything that smells like money slide...

  • @duke605
    @duke605 11 місяців тому +2

    Jesus... are these bots written by 12 year olds? Have they heard of doing authentication on the backend?

    • @erikkonstas
      @erikkonstas 11 місяців тому +1

      LOL if you ask them to build a fort, they are gonna tell you that their guard's way of protecting entry is asking for a name and that's it... 😂

  • @theguywhofunni
    @theguywhofunni 4 місяці тому

    This is literally like going to someone house, knocking on the door and they ask who are you, you say its "me", the very memorable and handsome guy and they let you in

  • @nikolettaheigl3771
    @nikolettaheigl3771 9 місяців тому +4

    0:24 where is contain part Between secure and protect?💀

  • @sp0onforksp0rk
    @sp0onforksp0rk 11 місяців тому

    This came out 53 minutes before I got discharged from surgery
    Peak content the moment I'm free hell yeah

  • @ShadowWolfe
    @ShadowWolfe 11 місяців тому +3

    Literally the least he could've done was say "Thank you." But I guess when someone runs the "most secure" bot, they still have an ego regardless.

  • @ris_kis
    @ris_kis 11 місяців тому

    When you get tired from telling people how to defend themselves from scams, you become a hacker.

  • @kepscorner
    @kepscorner 11 місяців тому +3

    this makes me glad and sad that I am so neurotic about server setup. If I was a bit stupider I coulda used this to get back into my own server but I'm too reserved about permissions so this would've never worked :sob:

  • @AsrielDreemurrPlays
    @AsrielDreemurrPlays 11 місяців тому

    from what i've seen (at least on this channel I don't really use bots in my servers at all, and the bots I do use are like, music bots which only need like 1 permission). Most bot developers don't have experience with an internet facing service. If the debug endpoint is there just for debugging other servers just incase there's an issue, why not just have it to where it can accept any ID and auth token, but on the backend it checks if it's the correct user. The code is right there in the page source, it just checks if the userID is the ID if the owner of capture bot, and just doesn't show it if it's not...the actual call doing the debug mode just does it, no other prior checks beside if the guildID is a valid id.
    What should've been done is, A. don't hardcode the user ID into the check for the User ID someone could just spoof it by just copying it right there B. do other verification on the actual backend.
    it could be a whole thing where first it sends the request like it does in the video, but when it gets to the backend it'll check multiple things, the user ID that sent the data, what permissions it has etc etc. verification shouldn't be done on the front end.

  • @Teslazer
    @Teslazer 11 місяців тому +3

    Waiting for the new video about the discord mobile update 😁

  • @yeetboyo7
    @yeetboyo7 7 місяців тому +1

    love your vids man