Other companies have done worse. Deliveroo had a bug at some point that allowed for duplicate orders to be sent during peaks of high traffic. Tom Scott has a video on that.
I have a theory they made an ai to generate ideas but the forgot to give it ideas to train the ai so it just spits out gibberish and the discord team just puts it in discord
1500$ is a joke… I feel like you could sell it to people with malicious intent for 10 times that. When companies do this it’s a budget way of not hiring as many bug testers
This isn't a very dangerous vulnerability. It just lets you spam protected channels with meaningless messages. If it was more serious, it would've been worth a ton more.
Bug bounties can't compare to underground black markets, but they offer other benefits such as getting your name listed in hall of fame, being able to discuss the bug publicly, not having to launder the money, and living guilt-free knowing that your stuff isn't used for evil. Also this bug isn't all that serious, I believe Discord would've given $500, or max $1000 for this.
@@QWONIE You're just saying words that are not untrue, but have no contextual relevance. In this case, nobody would be paying high-dollar for what is essentially a parlor trick. True, the worth is up to the buyer, but that is heavily influenced by the utility of the exploit, and literally nobody would pay more than $1500 for very, very basic script kiddie stuff.
What Discord did wrong with the bounty program is that they don't have the rewards publicly listed, for what the attackers knows they could've gotten nothing if they submitted a report, if you look at other websites like Microsoft, they clearly list the rewards for specific bounties.
These bounty rewards always contain a NDA - you take the money you can't ever tell anyone the bug even existed. It's a clever way to hide fuq ups, literally hush-money.
@@jordanwardle11 Good point, but then you could say the same for not knowing the bounty at all, and even so you can generally get a guesstimate on how much a certain vulnerability will pay out so if a company does fall outside of those odds an attacker wouldn't know, so it's generally a safe bet to pay a decent amount for any vulnerability that will cause nuisance and permission bypass, Discord has tons of investors and what they count as a running expense could be a life changing amount for an individual so I doubt money is the issue.
Ironic that you use Microsoft as an example because GitHub was sued for breach of contract when they refused to paid after due disclosure, and the judge essentially very nicely told the guy that he was an idiot for disclosing before being paid (i.e. the disclosure agreement is not enforceable).
I submitted a kinda serious bug to discord once and got $500 out of it, pretty cool experience, there are cool people working there! Shame they've seemingly reset the thanks area at the bottom recently so it's a lot harder to show that off to people :(
@@demonboi6930 Yea we will, becaue thats the truth you smart ass. Who the fuck do you think you're talking to like that? Lock your doors at night you moron
YES, that would be an incredible law. It's so annoying when scummy companies do that. However, realistically, that probably won't happen, because although it is used to hope the user forgets to cancel it, so they get money without the user's noticing (aka, scam in a legal way), it's also used to make sure the user doesn't abuse the trial system (make more and more accounts to effectively get a free unlimited (unless the trial option isn't available after a while) subscription. However, I could see the possibility to have a law that makes it so that they can't make it auto-renew automatically.
i have access to it, i sent it to 3 friends. I was happy cause i could gift them some nitro and they hit me with the “i have to insert my billing info” yah it’s not free if u need to insert any sort of billing information, years on the internet has taught me that LOL
It's Free , it just needs a billing so that if u forget to cancel they can steal some money anytime I claim a free nitro I setup a reminder on my calendar on phone to just tell me it's about to end so I can manually cancel like 1 day before it expires it worked everytime iv had free nitro 4 times so far ,
@@CrimsonAkato I hate this freaking "if you not cancel we'll just assume you want that so we'll charge". Ok, fair enough, it's my responsibility to remember to cancel (like what you did setting a reminder), but it's a thing that in my opionion lies towards "scam-ish" behaviour: they know a bunch of people will forget that. It should be setup so that, at the end of the trial period, you get a message that says "hey fella, your trial is expired! Would you like to purchase?". There should never be a "the customer didn't say anything, so I assume the consent", it should be the other way around
@@RussellTeapot yeh i agree but what can you do, not much sadly every site with a service uses this type of method im just used to it at this point setting a reminder to cancel is all we can do when we claim anything free
Honestly? This feels more like a white hat troll going: "Hey discord, here's an exploit and how I did it. Now you can't ignore it!" The fact they didn't spam gore and shit too puts them in the 'chaotic good' area.
@@CasuallyWillis any big platform with a ton of users is bound to have serious bugs several times, no matter what. programming isn't as easy as just typing in a few lines of code, you have to debug and also constantly figure out how to do things you don't know.
@@lightlie_ The entire Discord birthday promo (June 15) is behind a experiment flag that isn't permisson capped, and that includes the whole shenanigans with the activities that you can right now abuse at your own lessure. The one on the video wasn't a slip-up, it's regular day-to-day negligence (yes negligence, not underpaid, not overworked, negligent behaviour made the norm).
Nah, those bountys are so little, so that considering that person knowledge, he probably wins a lot more than that. So yeah it was more fun to raid servers than to get something so worthless. The chaos it caused was worth way more than 1500 dollars :)
Why in the world would they not make sure that these messages can only be sent as a DM, or at least adhere to permissions? Feels like an extreme lack of due diligence.
Some people send nitro gifts to channels as a sort of race to see who gets it, they shouldnt limit where you can send it, just make it so it can be deleted
@@leonardonetagamer But these are trials that are specifically targeted towards a person. Normally you can only DM them. The guy had to do the API trolling to send it in #rules
Actually, I myself have had Nitro about 15 days ago. Before that I also had owned 1 Month Trial Nitro and yet still I was able to claim that Nitro, meaning that "12 Months Nitro" Thingy might not be accurate.
@@CommandoBlack123 depends on the country, your financial status, and your living conditions In India for example you could comfortably feed yourself for multiple years with that money In a pinch you could also live in America and use it sparingly to eat for a whole year too. You sound very privileged. Either you are very well off with a very well paying job, or you’re still living at home with your relatives while they feed you. $1.5k is not just pennies for most people
I use it for clyde which increases the number of word limits. I also use it for storing some more lengthy file size, so it helps me. It's pretty cheap so I don't mind as long as I have some use for it. So it really depends on the user but for most users it may seem useless.
Рік тому
Well funny thing is that - Some good update - Mostly bad update (The # number tag thing)
Funny, how even the offical staff for the roblox on discord call it a scam when it not also let not question how their moderated on discord and not the whole website as a awhole.
Hello no text, Do you know how someone can send you a request when you don't have any mutual servers or mutual friends with them. Cause today I got a request from someone that has no mutual servers with me or mutual friends and their profile was kinda new like a month old. Do you know if a hacker/bot or whatever can find some sort of way to generate random profiles to send requests to? Cause honestly I've never seen this person before ever in any servers and I doubt they would know my profile if their account is basically new. Also I went to the discord user search on the web and I couldn't find the account at all.if you can help me out thanks.
the fact that trials are just basically paying for nitro but with more steps is just the creme of the crop of how much they really want people buying nitro.
I hate how for something that's free for a while charges you without being just a one time thing. I don't want to accidentally spend money on cosmetics.
sure he missed out on 1.5k, but that would've been pretty lame. the idea of abusing bugs to mess with discord instead of helping them to earn money is a lot more entertaining, especially because it wasn't malicious.
"Its not about the money, it's about sending a message"
-the raider
it sure is about sending a message (in #rules)
@@smixqse rules are meant to be broken
It's high likely that they've used blackmarket cards
@@Bagaginogaming ?
@@0_O. True
Clearly the discord staff are the most competent people with the most outstanding ideas!
no monke brain in their heads!
Other companies have done worse. Deliveroo had a bug at some point that allowed for duplicate orders to be sent during peaks of high traffic. Tom Scott has a video on that.
Real
For real
Also 100th like
Discord has been making so many more dumb decisions than usual. I *almost* feel bad for them... *almost* ...
Discords devs really brainstorming using a sewer rat as a computer scientist
@@Kirraii Lmfao, seems like it.
Oh, just wait for the change that they'll make on may 15, 18, or 20 depending on the timeline. (I'm totally a real time traveler)
Show those villains no mercy sonic
I have a theory they made an ai to generate ideas but the forgot to give it ideas to train the ai so it just spits out gibberish and the discord team just puts it in discord
Bro rather would terminate his discord account rather than 1,500 dollars. What a legend
What a madlad.
I know someone who submitted a relatively harmless bug to Discord. They did only gave him the bounty because of his audience and like 2 years later.
@ what bug was?
random
bro what
1500$ is a joke… I feel like you could sell it to people with malicious intent for 10 times that. When companies do this it’s a budget way of not hiring as many bug testers
This isn't a very dangerous vulnerability. It just lets you spam protected channels with meaningless messages. If it was more serious, it would've been worth a ton more.
@@Jason9637 the worth of such a exploit is up to the buyer n trust there’s some ppl out there who would differ especially since it’s discord
Bug bounties can't compare to underground black markets, but they offer other benefits such as getting your name listed in hall of fame, being able to discuss the bug publicly, not having to launder the money, and living guilt-free knowing that your stuff isn't used for evil. Also this bug isn't all that serious, I believe Discord would've given $500, or max $1000 for this.
random
@@QWONIE You're just saying words that are not untrue, but have no contextual relevance. In this case, nobody would be paying high-dollar for what is essentially a parlor trick. True, the worth is up to the buyer, but that is heavily influenced by the utility of the exploit, and literally nobody would pay more than $1500 for very, very basic script kiddie stuff.
It'll never cease to amaze me how someone can be both bright *and* dumbass at the same time
Or they're bright and trollish whichever fancy them
Shut up furry how bright is your rgb dragon dildo
Sometimes it's not about the money after all, but sending a message. Or in this case, thousands of them.
If you are a good security researcher or a prgrammer, 1500 is like a penny in a bottle.
Furry
1500 seems like nothingburger money
"it hit the Hub's server...."
"DISASTERBATING" 💀💀💀
Po-
child po.
@@Egglitch link?
@@htu271i'm calling the police
@@htu271 🤨📸
What Discord did wrong with the bounty program is that they don't have the rewards publicly listed, for what the attackers knows they could've gotten nothing if they submitted a report, if you look at other websites like Microsoft, they clearly list the rewards for specific bounties.
Then who would submit anything if they know it's only worth $100 for a potentially malicious vulnerability?
@@jordanwardle11 And that's the reason for this video
These bounty rewards always contain a NDA - you take the money you can't ever tell anyone the bug even existed.
It's a clever way to hide fuq ups, literally hush-money.
@@jordanwardle11 Good point, but then you could say the same for not knowing the bounty at all, and even so you can generally get a guesstimate on how much a certain vulnerability will pay out so if a company does fall outside of those odds an attacker wouldn't know, so it's generally a safe bet to pay a decent amount for any vulnerability that will cause nuisance and permission bypass, Discord has tons of investors and what they count as a running expense could be a life changing amount for an individual so I doubt money is the issue.
Ironic that you use Microsoft as an example because GitHub was sued for breach of contract when they refused to paid after due disclosure, and the judge essentially very nicely told the guy that he was an idiot for disclosing before being paid (i.e. the disclosure agreement is not enforceable).
The raider really talked for all us it's not about the money it's about the change you make so sweet and inspirational
I submitted a kinda serious bug to discord once and got $500 out of it, pretty cool experience, there are cool people working there! Shame they've seemingly reset the thanks area at the bottom recently so it's a lot harder to show that off to people :(
What bug was it
What bug
They're probably lying
@@w.d3xx not lying. they cant talk abt the bug at all. basically discord pays them to stfu and not let anyone know abt their fuck up. kinda like a NDA
@@rebeccaxrvxole Still cant be 100% sure
the concerning thing is how did ntts knows that the hub’s server was raided
Probably asked around... just like any journalist would.
@@bndlett8752 Yeah we'll go with that...
people told him
@@demonboi6930 Yea we will, becaue thats the truth you smart ass. Who the fuck do you think you're talking to like that? Lock your doors at night you moron
Why was he even in the server 🤔
Man, they should ban "free trials" where you need to enter credit card data
No, we as consumers should just refuse to participate, it will go away eventually.
its so annoying.
YES, that would be an incredible law. It's so annoying when scummy companies do that. However, realistically, that probably won't happen, because although it is used to hope the user forgets to cancel it, so they get money without the user's noticing (aka, scam in a legal way), it's also used to make sure the user doesn't abuse the trial system (make more and more accounts to effectively get a free unlimited (unless the trial option isn't available after a while) subscription. However, I could see the possibility to have a law that makes it so that they can't make it auto-renew automatically.
It's discord, at the end of the day, all they care about is money.
@@satinfoilI’m not sure if this wasn’t part of what your talking about but 0:35
It's starting to look like the marketing team is more competent than the dev team 😂
thats bc the thinking and amount of problem solving they have to do is killing them mentally😂😂
"My goals are beyond your understanding"
-The Raider
With this video we learned that the price of being an asshole is $1.500,00
The kiss at the end was personal 💀
He raided the hub server, which is far better than 1500 dollars in my opinion.
in the grand scheme of things $1500 is not that much anyways
It's not that hard to do. They're pretty open about it existing. The hardest part is getting in since it's so popular.
1500 is alot for at least someone in college
@@w.d3xx skill issue
@@chlorobyte_projects 100% 10-12
Only $1,500? This guy literally made a joke worth more than that! Who cares about the money. That was funny as hell
@@_moonlumen lol
lets be honest, Discord probably would have just given a bug hunter badge
i have access to it, i sent it to 3 friends. I was happy cause i could gift them some nitro and they hit me with the “i have to insert my billing info” yah it’s not free if u need to insert any sort of billing information, years on the internet has taught me that LOL
How? Just cancel it are you stupid
It's Free , it just needs a billing so that if u forget to cancel they can steal some money
anytime I claim a free nitro I setup a reminder on my calendar on phone to just tell me it's about to end so I can manually cancel like 1 day before it expires
it worked everytime iv had free nitro 4 times so far ,
@@CrimsonAkato I hate this freaking "if you not cancel we'll just assume you want that so we'll charge". Ok, fair enough, it's my responsibility to remember to cancel (like what you did setting a reminder), but it's a thing that in my opionion lies towards "scam-ish" behaviour: they know a bunch of people will forget that. It should be setup so that, at the end of the trial period, you get a message that says "hey fella, your trial is expired! Would you like to purchase?". There should never be a "the customer didn't say anything, so I assume the consent", it should be the other way around
@@CrimsonAkato that's what i'm saying, just don't be stupid and you're fine
@@RussellTeapot yeh i agree but what can you do, not much sadly
every site with a service uses this type of method im just used to it at this point setting a reminder to cancel is all we can do when we claim anything free
"disasterbating" is the best play on words i have heard in my entire life. kudos to you
it always makes my day to get that special NTTS kiss at the end :3
bro you need a partner.
@@Leo555V1 i have a partner, but thanks
@@Leo555V1
Who needs a partner if NTTS already loves everyone of us?
@@conclusivestate this is a good point
Bro imagine being THAT dedicated to raid servers that you refuse to get back 1.5K USD$, actually impressive.
the bug bounty was released AFTER he did the raid
@@DiamantOpp No
@@DiamantOpp no
@@DiamantOpp no
@@DiamantOpp no
Honestly? This feels more like a white hat troll going: "Hey discord, here's an exploit and how I did it. Now you can't ignore it!"
The fact they didn't spam gore and shit too puts them in the 'chaotic good' area.
This is grey hat. White hat would be responsibly disclosing the bug to their bug bounty system.
he couldn't decide what to spam, only where to send that specific message
They couldnt, literally the only thing they could send was the poop emoji
discord is like a really poorly made house built on stilts just… falling apart, slowly but surely
yep
This bug does not demonstrate though? A bug like this could have happened to any platform and to any developer.
@@GoldenretriverYT doesn’t matter, after their multitude of issues that have built up, it just shows it’s like a poorly made house lmao
@@CasuallyWillis any big platform with a ton of users is bound to have serious bugs several times, no matter what. programming isn't as easy as just typing in a few lines of code, you have to debug and also constantly figure out how to do things you don't know.
@@lightlie_ The entire Discord birthday promo (June 15) is behind a experiment flag that isn't permisson capped, and that includes the whole shenanigans with the activities that you can right now abuse at your own lessure.
The one on the video wasn't a slip-up, it's regular day-to-day negligence (yes negligence, not underpaid, not overworked, negligent behaviour made the norm).
Nah, those bountys are so little, so that considering that person knowledge, he probably wins a lot more than that. So yeah it was more fun to raid servers than to get something so worthless. The chaos it caused was worth way more than 1500 dollars :)
Discord's trying to experiment with features, and honestly, I applaud them. They just need to listen to criticism and apply it as such.
i love your vids ntts, pls keep it up, literally spent all day watching ntts vids
Imagine that person seeing this video and being like 💀
💀
💀
💀
Why in the world would they not make sure that these messages can only be sent as a DM, or at least adhere to permissions? Feels like an extreme lack of due diligence.
Some people send nitro gifts to channels as a sort of race to see who gets it, they shouldnt limit where you can send it, just make it so it can be deleted
@@leonardonetagamer But these are trials that are specifically targeted towards a person. Normally you can only DM them. The guy had to do the API trolling to send it in #rules
"disasturbating" is something i've never heard before and never want to hear it ever again.
"we are sending a message and people are listening" -NFS rivals Zephyr
1:39 You really missed out on rickrolling us with that QR code
Actually, I myself have had Nitro about 15 days ago. Before that I also had owned 1 Month Trial Nitro and yet still I was able to claim that Nitro, meaning that "12 Months Nitro" Thingy might not be accurate.
Really loved the "byebye sweetheart! I love you! MmmWAHH!" at the end
Discord going insane with their nitro thoughts
that lil bye bye message always makes me giggle xD
6:14
toddler tried to raid for a little bit of dopamine instead of reporting the bug and get money
"YOU DIDNT HAVE TO CUT ME OFF (like that)"
4:26 Seeing a number be put in a string makes me feel pain
Discord actually does use channel IDs as strings
it's an ID, it must be a string.
@@Splarkszter nope, IDs can also be a integer.
@@fwogiie Yeah but what happens when you want to add letters to it?, better be prepared and not place dubious roadblocks in the way.
@@Splarkszter wich is alwo why i said "can" and not "has to".
Bruh, 1.5k for critical vulnerability. No wonder noone uses this bug bounty program
@@Buffalo_Soldier 50k would not be reasonable for an bug that causes nothing more than a nuisance lol
Critical? You couldn’t even write a custom message. It was harmless spam
If thats critical, whats an auth bypass then? SUPER MEGA EXTREMELY HYPER CRITICAL?
"it's not about the money it's about sending a message"
i am a normal person, i see ntts, i click.
same
same
Same
no interest in nitro, only ntts
unoriginal
it was to be expected for this to happen when it was released tbh
Wonder if you'll talk about the two new shadow drops that Discord announced, Media Channels and @everyone perms for
Man I remember when Discord was the app that freed me from the horrendous clutches of Skype... Anyone else?
"Disasterbaiting". Boi, he turned on the dad jokes
Next time you show off the API in insomnia you should click onto that little auth tab and showcase its contents👀
$1500 lmao what a slap in the face. no wonder they didnt go for the bounty
It was ridiculous when the ddevs rules channels was filled with poop icons lol
imo for the "it shouldnt have you scan a qr code" part you should have put a rick roll qr code on the screen LOL
raider wanted to light up pixels on someone's screen than make 1500$ 💀💀💀💀💀
Imagine that raider watching this video...
The thing that I found funny is that a) there's a hub server, which I would have never thought would existed and b) it got raided lmfao.
Discord taking more L's per every Wednesday
I tryed to scan the qr code and i got to your channel nice trick
It's not about the money, it's about sending a message. - Some guy in a movie
There's no way you can get that much money on a bug report. Even Google did that with their Pixel devices, at $50,000, and didn't pay anyone for it.
1:39 i have to be that person to actually scan the one on the screen. Expected a rickroll tbh
*ntts uploading* me watching the video instantly. me happy
Discord Staff:
HUH? Someone send a Message here???!!!
Nevermind just lemme del -
have you made a tutorial for using the discord api to send messages?
Oooo more opportunities for people to get confused and scammed with "free nitro" shit. Discord loves their community frfr.
"This will make it perfect" -Discord Staff
"HELP ME!!!!!!" -their Server
YEESSSS NTTS UPLOAD THIS IS A GOOD DAY
at this point i dont know whether im watching these videos for the kisses or for the content
That guy who raided those servers could've gotten money. Karma hurts more than you caused.
That's literally pennies. And they would most likely get nothing considering how bad discords communication is.
he did it for a cause. OR he wanted to go out with a bang!
1,500 dollar isn't a lot, you can make them in two week or one month depending on your job
@@Purely_bread your pc that needs an upgrade:
@@CommandoBlack123 depends on the country, your financial status, and your living conditions
In India for example you could comfortably feed yourself for multiple years with that money
In a pinch you could also live in America and use it sparingly to eat for a whole year too.
You sound very privileged. Either you are very well off with a very well paying job, or you’re still living at home with your relatives while they feed you. $1.5k is not just pennies for most people
🐢 That's crazy ! 🐢 that's actually crazy ! 🐢 that's actually messed up !
I was wondering : what the name of your browser extension to make those folders-like tabs ?
Didn't know "Git"hub had a discord server...
I still don't fully understand why people want Nitro, all you get are gaudy profile banners and GIFs but not GIFs.
But the profile picture gif is why I subscribe to nitro, and also the huge filesize limit extension is a bonus.
It used to be good a long time ago. Now its like a dunce cap
I use it for clyde which increases the number of word limits. I also use it for storing some more lengthy file size, so it helps me. It's pretty cheap so I don't mind as long as I have some use for it. So it really depends on the user but for most users it may seem useless.
Well funny thing is that
- Some good update
- Mostly bad update (The # number tag thing)
i need to make PEOPLE GIVE ME THAT
A naked man fears no pickpocket.
Funny, how even the offical staff for the roblox on discord call it a scam when it not also let not question how their moderated on discord and not the whole website as a awhole.
Hello no text, Do you know how someone can send you a request when you don't have any mutual servers or mutual friends with them. Cause today I got a request from someone that has no mutual servers with me or mutual friends and their profile was kinda new like a month old. Do you know if a hacker/bot or whatever can find some sort of way to generate random profiles to send requests to? Cause honestly I've never seen this person before ever in any servers and I doubt they would know my profile if their account is basically new. Also I went to the discord user search on the web and I couldn't find the account at all.if you can help me out thanks.
evet lan biziz
idk if they still do it but i remember in 2018-2019 they would give nitro users free 1 month nitro codes
lets be real, they probably wouldnt pay for this bug seeing as its practically harmless
the fact that trials are just basically paying for nitro but with more steps is just the creme of the crop of how much they really want people buying nitro.
Once on PC my windows security said this is not safe then I’m like WTF
1:39 I thought that link is to Rick Roll lol
That’s crazy, they missed out on a lot of money!
I hate how for something that's free for a while charges you without being just a one time thing.
I don't want to accidentally spend money on cosmetics.
Wao Discord “actually” using their brain! 🤩
At this point, I'm curious if I watch his videos for information on discord updates or to be told someone loves me
This kiss at the end was too soft
I want NTTS say the whole context and put me to sleep
BRO I NEVER HAD DISCORD NITRO FOR 5 YEARS WE LIT
babe wakeup new ntts video is out
rickroll wouldve been cooler on the QR code
sure he missed out on 1.5k, but that would've been pretty lame. the idea of abusing bugs to mess with discord instead of helping them to earn money is a lot more entertaining, especially because it wasn't malicious.
I'd be taking that money thank you very much
1.5k$ what a joke he could have sold this technique for way more that that
This bug is probably out of scope for the bug bounty to be honest - it's not very clear how this could classify as a "security" issue.
one question what were you doing in hub server?
Disasterbating is just gold
Who tried scanning the QR code too?
disasterbating 😭never subscribed to some1 so fast
1500? Nah, im spamming the shit out of this. That is way to low
so ... half our chat bar is gonna be plastered with dumb icons?
2:14 “Disasterbaiting” XD