Wow... This is a school grade level exploit. Anyone who paid attention to basic website security knows how to prevent this attack. And yet Discord's dev team is so incompetent that it couldn't even prevent something this basic.
@@0.r0 You seem like you're 12 with that spelling. Discord devs work at discord for money not a badge? And you have to be over 18 to actaully work at discord.
The crazy thing is that React (which Discord is built with) literally has XSS protection built into it, meaning the developers had to deliberately go out of their way to make this exploit possible.
God, the absolute leveling that this guy does is addicting. This guy feels like one of those parents that would go: "Yeah, school sucks, heres why it sucks-"
Fun fact. Changing your password doesn't always work. I actually once got hacked on Discord, and instantly changed my password the moment I knew what had happened. Before the scammer even had a chance to do it themselves. They still got control of my account. Next level tomfoolery indeed.
In token stealing exploits, you may have to explicitly invalidate all your login sessions, which discord does allow you to do. Changing passwords doesn't necessary invalidate all existing login session tokens, though if discord had any sense they should.
They probably just send an automatic POST request to change the password to the discord server upon receiving the token immediately. Most likely that's why you don't have time to change your password in time
Why don't we create a script that generates tokens and sends them to all known token saving sites? Fill up their databases and have them be less effective
Safer to send junk and not actual tokens. Provided they don't have checking it'll still work and doesn't carry the risk of accidentally sending a legit token.
I dont know if I should say this but I literally saw/knew a guy who said he can just token grab people by just giving a invite link and that was over a year ago ,just how many people have known about it before this vid almost scary
i mean, this link is looking safe. So the only possibility is, to not use the internet at all or don't use services like discord (what ever this means)
@@Coder_Tavi links get censored by YT (only the poster can see it, nobody else), which might explain why it's showing "2 replies" yet only one shows up
Bro u clearly know nothing. 1. They didnt create an XSS Exploit, a person which found the vulnerability created the exploit 2. Even in Google, Nvidia, Apple etc. are xss, and even more dangerous vulnerabilities (like ssrf, or with that RCE) found (daily), so pls dont just talk shit about discord, when u clearly know nothing about this topic. Look at for example Hackerone and see how many reports are daily submitted and resolved.
@@testuser1235 I ain't your "bro", either way you're still incorrect. Discord developed the application therefore they created the exploitable surface. Perhaps I didn't make that part of my comment clear. I'm not sure why you're white knighting Discord as if they're gonna give you a job for defending them...
Thank you for sharing this important information about the Discord NFT scam link. Your video is helping to educate and protect the community. Keep up the good work in raising awareness about these types of threats
As someone that is still learning web development, this stuff kinda scares me. My knowledge on network security as well as vulnerability detection is not that much yet.
I found someone that’s been doing this to get people’s tokens and selling their tokens since the QR code scam, I’ve always thought this was possible but never had a sample to work with like you did, good job man!
i didn't even know what this was called but as soon as i saw the html i knew exactly what was going on. like no way did they let you just write html in a text description like that
man, the last time I saw such a major and easy xss vulnerability was xss in tweetdeck 8 years ago. and that was just a self-retweeting tweet. such incompetence.
I think what's crazy is that people are just now figuring out about this exploit which has actually been around for nearly 2 years now. Also most of the people hijacking accounts are focusing on people with og or "leets" for username and account age so that they can keep it and or sell it. A "leet" would be a username like root#0001 for example.
i’m genuinely surprised this was overlooked, literally no validation checks or encoding on the html to make sure that scrips aren’t being executed.. it’s unsurprising coming from discord though
@@zydn Yes that’s true when using JSX. But this exploit was done through the state management software. When someone loads the page it get exploited before the page even renders out html. If it was in the JSX it would have been sanitized
@@zydn React takes some steps to protect against simple xss attacks and html input vector rendering. displaying script tags, for instance, or other things. The exploit in this case is trickier than you might expect because it only guards against DOM-based XSS assaults, although XSS comes in a variety of forms. Having said that, data sanitization might have easily avoided this.
Fantastic video to inform us all about it but to be honest if you just stick to the rule of never clicking on any links before asking around or anything is the safest way to go Do not let your curiosity or greed get the better of you as those are usually how you fall for any scams Always ask yourself what could happen or simply why do I have to click on something someone sent me in dm which I have never spoken to before. Always have a certain level of distrust as come on this is the internet unless you know them personally irl you should always that certain level of awareness as anything could happen such as even your best friend on internet for years could turn on you for personal benefits
This is why you don't click links. Even if it's from someone you think you know, try to engage them in a conversation (esp if you haven't heard from them in a minute); if they talk different than normal, you know
brainfart: could people theoretically spam the blueh and/or hawkemedia links with fake/random tokens via scripts to throw some sand in their gearbox? obviously not all from the same IP so it's not as easy for them to filter out. they'd have to figure out if the tokens they collected are actually valid, and i guess would be kinda pissed if 99% aren't lol 🤔
This shows how little testing they have. If they'd had more testing, especially for such a simple webpage, this would have never made it to live. Xss is very simple to prevent and, as many people have posted many times before, is very simple to escape a user's input. Apparently Discord doesn't know/follow the "never trust user input" rule. Also, with Discord being as big as it is, you'd think they'd do vulnerability testing that would have told them about this problem long before it got out of dev.
@C00L3R Not really. It's like saying Slack is *just* for companies. The only companies on Element in my vicinity is the company of the lads. Also, with Guilded... Roblox Corporation. Enough said. Plus, it's free (libre) and open source, which should be the norm for communications/chat apps.
This happened to me. I got offered to be paid to "test" a service or something similar and be invited to a server. I just simply ignored those DMs. They were persistent and would try one or two more times, I still never clicked on them.
Stealing a Discord token is incredibly bad. If you lose the token and the recipient has any sort of scripting set up, you can expect to have the entire account stolen inside of 30 seconds. I'd fallen for a phish where I was asked to test a game distributed over Itch. It stole my Discord token from my Discord desktop client, logged me out, and closed the client. And despite having 2FA on my account, I was unable to log back in again, as the token thief managed to strip 2FA AND change the password AND change the email address on it. Without any sort of request for 2FA tokens from my phone or passwords. I'd asked Discord support over Twitter for assistance, and they'd reverted the email address back to mine... but presumably the token never got reset or the token stealer was still running on my machine, because it was stolen and yanked away from me yet again. And yes, I was a paying Nitro user with saved payment information. Thankfully, because I paid via PayPal, I was able to tell PayPal to never send any money toward Discord and saved myself ~US$150 of fraudulent purchases.
It is possible to do a lot of input sanitization, CORS policy changes and CSP changes to circumvent a lot of XSS, but in the end you probably won't get everything. Hackers will reverse a site and try to find a bypass to the filter you set in place. It isn't necessarily Discord's fault because it took hackers this long to discover it. It just goes to show that nothing you do as a security researcher and engineer will truly patch a vulnerability fully, but instead just makes it harder for a hacker to exploit it. Discord does have a bug bounty, but if crypto scams will yield more money than the reward money from the bug bounty, it makes more sense for hackers to exploit it rather than responsibly disclosing it.
@@JaivianDean Even then, reflected XSS is one of the least serious types of XSS. If it were to have been stored XSS, we would have had a huge problem (worse than this one). This still required a little social engineering and user interaction to pull off. Though that kinda makes sense, they should have probably checked for something like that before they pushed an update.
Like I said, the only way to stop this, is to deal with the hackers one on one. Trying to patch up a broken wall, to hide from them, is only delaying the inevitable, because they will ALWAYS find you. Sadly, everyone chooses to literally allow them to do these things.
I can't believe that discord forgot about it! It's legit on the OWASP top 10 web app vulnerabilities. A lot of these big companies forget about web app security 101 and it's sad.
They outsource things like frontend to their diversity-hire tokens or to overseas workers entirely. Many major companies do it. It's why websites like TH-cam and Discord are getting progressively worse and worse from an interface perspective
I see everyone hating on discord. I am a bug bounty hunter and we gotta understand that all of us are humans, everyone makes mistakes, way bigger companies are getting hacked daily with way stupider vulnerabilities and you gotta remember there are millions of places where you have to check for vulnerabilities. Of course it sounds stupid that it had such a stupid vulnerability because it was found and sounds like ‘holly shit everybody could find it’ it’s actually not working like that 😂
With modern JS frameworks the threat of XSS is lessened. React makes it obvious when you might have issues by making you type out "dangerouslySetInnerHTML" when you're doing something that is likely dumb. In React if you pass a "" to anything else it will be interpreted as text. This makes developers less aware of threats because XSS hasn't been a concern to them, until there's SSR and the browser is no longer told to interpret "" as text but it looks like it should be an element. It's super simple to avoid, but at the same time it's easy for developers to forget that it's a concern.
Sometimes, it's the implementation of XSS prevention which is vulnerable. There was evidence of existing XSS prevention in the audit that was made. Don't flame them too hard.
It wouldn't have been a thing in this day and age if we'd gotten rid of the hackers a long time ago. But we don't. We just keep gluing a cracked wall together with raisins and mud hoping that someone can't just bust it down and get to you.
ok so a bunch of people are saying stuff about React or DOMPurify, but what it looks like actually happened is they literally inserted the user-generated text INSIDE a script element before running it (either serverside or with .unsafeHTML). this is because the first part of the visible script we see is an end-script tag, so the injected script first needs to end the real discord script element (to avoid syntax errors), start its own with the token stealing, and then end it's and start a new one for the rest of discord's script. this is literally the MOST OBVIOUS xxs i've EVER SEEN, its literally fucking inserting text _from the user_ IN THE MIDDLE OF YOUR JAVASCRIPT literally wtf discord
i don't even know coding and it looks really simple actually basicly after joining, it should run that script mentioned in 1:46, and then that redirects your token to alot of sites (and probably, the hackers site) and simply, steals your account
mostly right, but the code execution has to do with rendering the page. from what i googled about this, they first get all the data and descriptions including that code snippet from their server. then they send back an HTML file text string for you to render on your client, which has the data inserted. but since it's directly pasted into the html script tag part, you can pretend you're part of the website asking for the token by writing your own html script. the site can't tell the difference between your custom code and theirs because again, it's pasted directly inside allowing you to transform the html as you please
Brother, in programming, mistakes happen. Maybe it was an issue with version control or some overworked tired guy put in a typo or pressed a wrong switch. I would not go as far as throwing shade on the people that messed up; that's not productive to begin with. Instead, Discord staff should be encouraged to look into this issue and to help them with documentations to explain how to correct this mistake (if they didn't knew to begin with), which is what that twitter user did.
XSS injection is one of the most basic vulnerabilities that should always be tested against. Security against it is built into most modern frameworks, for example with React the only way to make it vulnerable is to use a feature named `dangerouslySetInnerHTML`. I have no idea how they made this mistake unless they invented their own broken framework they didn't think to test, or they made so many bad decisions that they were actually using dangerouslySetInnerHTML in production.
It's stupid that Discord did that, but it is also astounding that redux put the vulnerable code on their website, with only a comment in the snippet saying "hey check this link for security issues", instead of including the two function calls that make it safe. And then I wonder why Discord server side renders/ templates it in there in the first place, js can access the query param itself... Truthfully as a developer I have to say that unfortunately I have had many less than competent colleagues, and combined with pressure and negligence from management that has lead to very similar and worse issues a number of times. These issues don't come out of nowhere.
I swear my account one got hacked, and it did something worse than take my money. It blocked all my friends, while sending them a false hate message! Im better now, and yes it was the QR code thing
It probably got in their DB, and then the page just loaded the values from their DB, which they did not sanitize properly. Kinda makes you wonder if the server is even verifying input properly before posting data in the database.. SQL Injections..
Your discord token will automatically change within 6-8 hours I think or maybe 12. It doesn't stay the same forever. They can send automated requests using that. But they can't change your password or access the full discord account. Unless they know the Server ID, Channel ID in which they want to send the message in. So they would have that info probably of only one server in which you were with the guy that sent you the link.
Two wrongs in this message. Firstly, the Discord token does not expire until you change your password or change two-factor authentication settings. Secondly, you are able to access the full account, it's very simple to log into an account using the token. Don't spread false security tips, it helps no one
LOL, how ironic that hackers are stealing discord tokens, yet they couldnt be bothered to update their version of nginx (which is old and very insecure)
What one could do in case of these dead ends mentioned in the video, it is always possible to look where the servers are hosted and what they are doing with them. ping, traceroute and nmap are your friends.
How the hell does a junior developer like myself understand how to prevent xss better than discord. This honestly screams of gross negligence and laziness
Even if you prevented it, sometimes xss prevention itself is a flaw, there are nearly infinite ways where a input can be sanitized, it’s a even in a good system, it’s a matter of time where it’s bound to happen
I was around the hacking space when this vulnerability was found. My friend tested it on me and we thought it was a cool little gimmick but nothing worth using against anyone except enemies. That was 6 years ago I believe, if it’s really been this long and they haven’t patched it, that’s extremely sad. Honestly a low level exploit as well.
i feel so bad for the people who had their accounts stolen but holy fuck is that funny lmao. It's such an easy thing to fix and I don't know how it's ever a thing in 2022
Wow... This is a school grade level exploit. Anyone who paid attention to basic website security knows how to prevent this attack. And yet Discord's dev team is so incompetent that it couldn't even prevent something this basic.
discords dev team is 12 year olds what want the badge
So why it this action not considered as in purpose? If so much money is being stolen, then a kickback is obvious.
@@0.r0 You seem like you're 12 with that spelling. Discord devs work at discord for money not a badge? And you have to be over 18 to actaully work at discord.
Bros the developer police 😭 the devs have hundreds of things to do they aren't able to check every little thing
@@bitrare7 seem*
Just because I don't use grammar does not mean I'm a 12 year old. Also, you could learn how to understand a joke?
The crazy thing is that React (which Discord is built with) literally has XSS protection built into it, meaning the developers had to deliberately go out of their way to make this exploit possible.
Discord is made with electron
@@Choroalp youre dumb
@@hovac. yes i am(and how do fuck you managed to find me)( some people saying itami might be backdoored)
@@Choroalp electron is the desktop framework, react is the frontend framework which discord is built with
@@Choroalp electron is just repackaged chrome and nodejs. You can use any framework with it, including react, which is what discord does
God, the absolute leveling that this guy does is addicting.
This guy feels like one of those parents that would go: "Yeah, school sucks, heres why it sucks-"
Facts
Nah it's true tho
is is
They use React and still got an XSS issue?! That's honestly unforgivable.
lmaao
Lmao someone just likes using dangerouslySetInnerHTML
@@jackdavenport5011 lmao they should just change it to innertext and its gone
Do they even code review at this point
@@frank8627-v8k You're right lmaoo
Fun fact. Changing your password doesn't always work. I actually once got hacked on Discord, and instantly changed my password the moment I knew what had happened. Before the scammer even had a chance to do it themselves. They still got control of my account.
Next level tomfoolery indeed.
In token stealing exploits, you may have to explicitly invalidate all your login sessions, which discord does allow you to do. Changing passwords doesn't necessary invalidate all existing login session tokens, though if discord had any sense they should.
They probably just send an automatic POST request to change the password to the discord server upon receiving the token immediately. Most likely that's why you don't have time to change your password in time
Why don't we create a script that generates tokens and sends them to all known token saving sites? Fill up their databases and have them be less effective
Actually, I found my goal for today xD
Safer to send junk and not actual tokens. Provided they don't have checking it'll still work and doesn't carry the risk of accidentally sending a legit token.
well there is a chance you can generate a legit token
@@polaris2707 Yea, would probably make sure to add or remove some random part to it to be safe
Exactly my thought. You just need to put it trough a service that sends it from different IP addresses first or they can filter it easily.
This seems to be a monthly thing now. Just don't click links. Simple
XSS vulnerabilities like this one are very rare.
I dont know if I should say this but I literally saw/knew a guy who said he can just token grab people by just giving a invite link and that was over a year ago ,just how many people have known about it before this vid almost scary
i mean, this link is looking safe. So the only possibility is, to not use the internet at all or don't use services like discord (what ever this means)
@@AANyt or just don't be dumb and have like 3000 layers of protection ezez
@@SurmenianSoldier or don't be dumb and click on whatever unsuspecting tinyurl links you see pop up
I've heard Twitter had a self-retwitting script that works just like this, but that was several years ago.
Can't believe this still happens
th-cam.com/video/zv0kZKC6GAM/w-d-xo.html
@@Coder_Tavi links get censored by YT (only the poster can see it, nobody else), which might explain why it's showing "2 replies" yet only one shows up
It was TweetDeck not Twitter as far as I know
NTTS is a youtuber I actually like to watch nowadays, even tho its about subjects I don't even know much about or affects me
@@stavratum 💀
@@stavratum if u don’t care then why’d you respond
@@izzyxvibes cause he is a fan
@@stavratum we don't care that you don't care
@@stavratum you seem like an angsty teenager with a "p" addiction.
Someone, please make this man a Discord Mod. He does figure out more than discord itself.. Hats off man. Love from India
NO OH GOD PLEASE DONT MAKE HIM A DISCORD MOD I DONT WANT TO BE HIS KITTEN
@@clouderinospooky
WHY ARE INDIAN PEOPLE EVERYWHERE LITERALLY EVERY COMMENT I SEE IT SAYS "LOVE FROM INDIA" AT THE END
@@itsarian. because they had too many kids
Why tf you insulting him for? Why do you want him to be a discord mod?
Discord messed up??!?! No way! Impossible!
-_-
Who could have guessed???
This is the first time this has happened in so long, I forgot Discord ever messed up!!!!!
I’m honestly astounded that in 2022, Discord of all companies managed to accidentally create an XSS exploit.
Well Google had one, so why stop the incompetence there?
Bro u clearly know nothing.
1. They didnt create an XSS Exploit, a person which found the vulnerability created the exploit
2. Even in Google, Nvidia, Apple etc. are xss, and even more dangerous vulnerabilities (like ssrf, or with that RCE) found (daily), so pls dont just talk shit about discord, when u clearly know nothing about this topic.
Look at for example Hackerone and see how many reports are daily submitted and resolved.
@@testuser1235 I ain't your "bro", either way you're still incorrect. Discord developed the application therefore they created the exploitable surface. Perhaps I didn't make that part of my comment clear.
I'm not sure why you're white knighting Discord as if they're gonna give you a job for defending them...
@@sluuuudge nah, im Not defending them, but I just can‘t stand people who think, Discord is the only Company who has vulnerabilities like that.
@@testuser1235 discord is the one company getting fame astoundingly fast ,with mass comes critics
Discord try not to create a security vulnerability with every new feature challenge (impossible)
I appreciate you making these videos. I love waiting to get into a MW2 match and watching discords biggest mistakes.
MW2?
@@jn567 Modern Warfare 2
@@jn567 jc isn’t really a gamer if he doesn’t know what modern warfare 2 is
@@uhKilz facts, he's probably 9 years old and plays Minecraft.
Looks like $800K wasn't that much for Discord, they should be again fined
The only vulnerability that's more unforgivable than XSS is SQL injections...
That this happened to a big company like Discord is even worse...
there should be (again) in the title 😂
Lol
Following this logic, the next exploit is gonna be "someone accidentaly typed 'DROP DATABASE discord' oops"
Or used "gets(password)"
IIRC they use nosql database, it would be impossible for that to happen, but xss, yea, those are different
Thank you for sharing this important information about the Discord NFT scam link. Your video is helping to educate and protect the community. Keep up the good work in raising awareness about these types of threats
I'm happy that I never fell for this scam because I got a lot of these DMs but I just ignored them.
i accidentally fell for one before like a month ago XD now im worried
@@tristanrhodes2789 change your password if you haven't already.
@@IllagerCaptain Yeah i did but that isnt the issue they have my account token not my password XD
Thank you for bringing this to light. You’re one of my favorite TH-camrs
damn bro thats crazy, they only did a minor felony this time?
NTTS, you covered this so well!
* I don't feel sorry for the idiots that have a lot of money I guess.
They’re NFT bros, don’t 💀
What the guy above me said
What the guy above the guy above me said
What the guy above the guy above the guy above me said
What the guy above the guy above the guy above the guy above me said
This is as good as a reminder to everyone to SANITIZE YOUR INPUTS.
xkcd reference
@Jimmeh make inputs(what they user types in a text box) basically only work for the purpose you give them, no funky business, lol
@@QUASAR098 Happy holidays to Bobby Tables
@@jimmydabear Design your website so that if the user types in computer code instead of a password their code doesn't get run.
This has nothing to do with input sanitation lmao
my face when discord's website is vulnerable to the simplest Cross site scripting imaginable.
As someone that is still learning web development, this stuff kinda scares me. My knowledge on network security as well as vulnerability detection is not that much yet.
This is why you gotta set your CSP headers. Even if somebody messed up the actual code itself, a good CSP will stop it from actually doing any harm!
I'm pretty sure the reason they were embedding the script off TH-cam was because of the CSP. So no, CSP would not have stopped it
I found someone that’s been doing this to get people’s tokens and selling their tokens since the QR code scam, I’ve always thought this was possible but never had a sample to work with like you did, good job man!
i didn't even know what this was called but as soon as i saw the html i knew exactly what was going on.
like no way did they let you just write html in a text description like that
That's like a fox guarding the henhouse
Thanks for letting us know man, I hope you stay safe out there
A few years ago a security researcher found an XSS vulnerability in TweetDeck and used it to make the only self retweeting tweet.
man, the last time I saw such a major and easy xss vulnerability was xss in tweetdeck 8 years ago. and that was just a self-retweeting tweet.
such incompetence.
The moment I hear "This was against NFT groups" I immediately agree with the exploiters
Sucks that it happened, but at least it was a bunch of crypto nerds and not actual human beings
That's a bit harsh. I don't even do crypto
That cherry server really went through a lot of pain mainly thier owner🤣🤣🤣
Abee 👁 👁 😂
👄
@@twilighttales-kya bol raha hai bhai
I think what's crazy is that people are just now figuring out about this exploit which has actually been around for nearly 2 years now.
Also most of the people hijacking accounts are focusing on people with og or "leets" for username and account age so that they can keep it and or sell it. A "leet" would be a username like root#0001 for example.
i’m genuinely surprised this was overlooked, literally no validation checks or encoding on the html to make sure that scrips aren’t being executed.. it’s unsurprising coming from discord though
@@zydn it’s discord 😂 they always find a way to make something worse
@@zydn Yes that’s true when using JSX. But this exploit was done through the state management software. When someone loads the page it get exploited before the page even renders out html. If it was in the JSX it would have been sanitized
@@zydn React takes some steps to protect against simple xss attacks and html input vector rendering. displaying script tags, for instance, or other things. The exploit in this case is trickier than you might expect because it only guards against DOM-based XSS assaults, although XSS comes in a variety of forms. Having said that, data sanitization might have easily avoided this.
This is why I stay logged out in my browsers
Fantastic video to inform us all about it but to be honest if you just stick to the rule of never clicking on any links before asking around or anything is the safest way to go
Do not let your curiosity or greed get the better of you as those are usually how you fall for any scams
Always ask yourself what could happen or simply why do I have to click on something someone sent me in dm which I have never spoken to before.
Always have a certain level of distrust as come on this is the internet unless you know them personally irl you should always that certain level of awareness as anything could happen such as even your best friend on internet for years could turn on you for personal benefits
This is why you don't click links. Even if it's from someone you think you know, try to engage them in a conversation (esp if you haven't heard from them in a minute); if they talk different than normal, you know
brainfart: could people theoretically spam the blueh and/or hawkemedia links with fake/random tokens via scripts to throw some sand in their gearbox? obviously not all from the same IP so it's not as easy for them to filter out. they'd have to figure out if the tokens they collected are actually valid, and i guess would be kinda pissed if 99% aren't lol 🤔
A friend of mine lost his account to this. Luckily we were able to recover it, but it was scary for a while there.
This shows how little testing they have. If they'd had more testing, especially for such a simple webpage, this would have never made it to live.
Xss is very simple to prevent and, as many people have posted many times before, is very simple to escape a user's input.
Apparently Discord doesn't know/follow the "never trust user input" rule.
Also, with Discord being as big as it is, you'd think they'd do vulnerability testing that would have told them about this problem long before it got out of dev.
"Surprise penetration testing"
This is why it's a good idea to use Element instead, Discord just keeps on getting these weird instabilities.
@C00L3R Not really. It's like saying Slack is *just* for companies.
The only companies on Element in my vicinity is the company of the lads.
Also, with Guilded... Roblox Corporation. Enough said.
Plus, it's free (libre) and open source, which should be the norm for communications/chat apps.
To be honest, I'm not even suprised anymore that Discord has another exploit. If they fix one, someone will find another one 😅
This happened to me. I got offered to be paid to "test" a service or something similar and be invited to a server. I just simply ignored those DMs. They were persistent and would try one or two more times, I still never clicked on them.
Stealing a Discord token is incredibly bad. If you lose the token and the recipient has any sort of scripting set up, you can expect to have the entire account stolen inside of 30 seconds.
I'd fallen for a phish where I was asked to test a game distributed over Itch. It stole my Discord token from my Discord desktop client, logged me out, and closed the client.
And despite having 2FA on my account, I was unable to log back in again, as the token thief managed to strip 2FA AND change the password AND change the email address on it. Without any sort of request for 2FA tokens from my phone or passwords.
I'd asked Discord support over Twitter for assistance, and they'd reverted the email address back to mine... but presumably the token never got reset or the token stealer was still running on my machine, because it was stolen and yanked away from me yet again.
And yes, I was a paying Nitro user with saved payment information. Thankfully, because I paid via PayPal, I was able to tell PayPal to never send any money toward Discord and saved myself ~US$150 of fraudulent purchases.
Keep slaying no text to speech
SLAY QUEEN 💅💅💅💅💅💅💅💅💅💅
that's crazy. well on the slightly bright side, at least it's fixed now...
im not a security engineer or anything, but didnt this exact same thing happen with Flash? Like this is one of the most simplest things to avoid.
Yes xss is literally thought in schools, that's how basic it is to do
It is possible to do a lot of input sanitization, CORS policy changes and CSP changes to circumvent a lot of XSS, but in the end you probably won't get everything. Hackers will reverse a site and try to find a bypass to the filter you set in place. It isn't necessarily Discord's fault because it took hackers this long to discover it. It just goes to show that nothing you do as a security researcher and engineer will truly patch a vulnerability fully, but instead just makes it harder for a hacker to exploit it. Discord does have a bug bounty, but if crypto scams will yield more money than the reward money from the bug bounty, it makes more sense for hackers to exploit it rather than responsibly disclosing it.
this is a new feature that just came out with discord that got XSS'ed
@@JaivianDean Even then, reflected XSS is one of the least serious types of XSS. If it were to have been stored XSS, we would have had a huge problem (worse than this one). This still required a little social engineering and user interaction to pull off. Though that kinda makes sense, they should have probably checked for something like that before they pushed an update.
Like I said, the only way to stop this, is to deal with the hackers one on one. Trying to patch up a broken wall, to hide from them, is only delaying the inevitable, because they will ALWAYS find you. Sadly, everyone chooses to literally allow them to do these things.
@@Sopitive or just be smart, don’t click on those links, if you want do it in a incognito mode or a vm (though, this is not really practical)
Your videos are getting better & better! I follow you since you had 50k subs. Great job!!
I can't believe that discord forgot about it! It's legit on the OWASP top 10 web app vulnerabilities. A lot of these big companies forget about web app security 101 and it's sad.
They outsource things like frontend to their diversity-hire tokens or to overseas workers entirely. Many major companies do it. It's why websites like TH-cam and Discord are getting progressively worse and worse from an interface perspective
it’s insane discord never patched this, i literally used it in 5th grade to mess with my friends on websites they made
these security exploits are really making guilded look like a feasible option
Guilded is owned by Roblox.
Don't move to an equally trash platform. Pick something open source, like Element or Signal
I really hope you get to be a discord mod. You do more than the discord staff at this point. PLEASE LET ME BE YOUR KITTEN 😳😳😳
what the hell
Took me a minute to get that reference
That with the worm is talked about with interview on darknet diarys
i remember when tweetdeck had a xss self retweeting tweet a long time ago. How so many people don't see this issue with their websites is crazy to me
Moral of the story: STOP... CLICKING... RANDOM... LINKS...
Kthx
I see everyone hating on discord. I am a bug bounty hunter and we gotta understand that all of us are humans, everyone makes mistakes, way bigger companies are getting hacked daily with way stupider vulnerabilities and you gotta remember there are millions of places where you have to check for vulnerabilities. Of course it sounds stupid that it had such a stupid vulnerability because it was found and sounds like ‘holly shit everybody could find it’ it’s actually not working like that 😂
The junior developer who wrote that: oops.. 👀
With modern JS frameworks the threat of XSS is lessened. React makes it obvious when you might have issues by making you type out "dangerouslySetInnerHTML" when you're doing something that is likely dumb. In React if you pass a "" to anything else it will be interpreted as text. This makes developers less aware of threats because XSS hasn't been a concern to them, until there's SSR and the browser is no longer told to interpret "" as text but it looks like it should be an element. It's super simple to avoid, but at the same time it's easy for developers to forget that it's a concern.
literally 101 stuff at that level
how on earth do they not endlessly dom-purify the shit out of everything user generated?
Funny how I got a discord ad at the start
So glad I've been sick the last few days
Well it's like some say "one's man's trash,another's trash"
"Discord messed up server discovery" - i already thought about xss
These vulnerabilities look as bad as the ones on the Roblox website lol
Even I, someone who makes tiny Github websites with no actual security risks, patch XSS. How did Discord forget?
Honestly nevermind the NFT and cryptobros, this could've been a lot worse and the lack of transparency about it is kinda unsettling
Sometimes, it's the implementation of XSS prevention which is vulnerable. There was evidence of existing XSS prevention in the audit that was made. Don't flame them too hard.
That’s really really bad. The fact that this is even a possibility in this day and age is insane
It wouldn't have been a thing in this day and age if we'd gotten rid of the hackers a long time ago. But we don't. We just keep gluing a cracked wall together with raisins and mud hoping that someone can't just bust it down and get to you.
I like how they're just using a default nginx forbiden page like "damn this is so easy we dont even need to make it look like its not a scam!"
ok so a bunch of people are saying stuff about React or DOMPurify, but what it looks like actually happened is they literally inserted the user-generated text INSIDE a script element before running it (either serverside or with .unsafeHTML). this is because the first part of the visible script we see is an end-script tag, so the injected script first needs to end the real discord script element (to avoid syntax errors), start its own with the token stealing, and then end it's and start a new one for the rest of discord's script.
this is literally the MOST OBVIOUS xxs i've EVER SEEN, its literally fucking inserting text _from the user_ IN THE MIDDLE OF YOUR JAVASCRIPT literally wtf discord
So it's basically the classic '); DROP TABLE x --; trick
i don't even know coding and it looks really simple actually
basicly after joining, it should run that script mentioned in 1:46, and then that redirects your token to alot of sites (and probably, the hackers site) and simply, steals your account
mostly right, but the code execution has to do with rendering the page. from what i googled about this, they first get all the data and descriptions including that code snippet from their server. then they send back an HTML file text string for you to render on your client, which has the data inserted. but since it's directly pasted into the html script tag part, you can pretend you're part of the website asking for the token by writing your own html script. the site can't tell the difference between your custom code and theirs because again, it's pasted directly inside allowing you to transform the html as you please
@@antehll ohhhh i get it
Thanks for the information, Shared in my discord server
Whoa! Some classic XSS just became a 0-day on Discord. How unexpected! 😂
Bobby Tables would be proud... or maybe disappointed.
the light mod thumbnail BRUHHH
Nobody's perfect, accidents happen, live and learn.
But seriously, they better fix their schitt.
Another day, another scammer heist. On Discord ofcourse!
Brother, in programming, mistakes happen. Maybe it was an issue with version control or some overworked tired guy put in a typo or pressed a wrong switch.
I would not go as far as throwing shade on the people that messed up; that's not productive to begin with. Instead, Discord staff should be encouraged to look into this issue and to help them with documentations to explain how to correct this mistake (if they didn't knew to begin with), which is what that twitter user did.
XSS injection is one of the most basic vulnerabilities that should always be tested against. Security against it is built into most modern frameworks, for example with React the only way to make it vulnerable is to use a feature named `dangerouslySetInnerHTML`. I have no idea how they made this mistake unless they invented their own broken framework they didn't think to test, or they made so many bad decisions that they were actually using dangerouslySetInnerHTML in production.
It's stupid that Discord did that, but it is also astounding that redux put the vulnerable code on their website, with only a comment in the snippet saying "hey check this link for security issues", instead of including the two function calls that make it safe. And then I wonder why Discord server side renders/ templates it in there in the first place, js can access the query param itself...
Truthfully as a developer I have to say that unfortunately I have had many less than competent colleagues, and combined with pressure and negligence from management that has lead to very similar and worse issues a number of times. These issues don't come out of nowhere.
I swear my account one got hacked, and it did something worse than take my money.
It blocked all my friends, while sending them a false hate message!
Im better now, and yes it was the QR code thing
Where's my "I love you bye bye!" 😭best part of your videos.
It probably got in their DB, and then the page just loaded the values from their DB, which they did not sanitize properly. Kinda makes you wonder if the server is even verifying input properly before posting data in the database.. SQL Injections..
Your discord token will automatically change within 6-8 hours I think or maybe 12. It doesn't stay the same forever. They can send automated requests using that. But they can't change your password or access the full discord account. Unless they know the Server ID, Channel ID in which they want to send the message in. So they would have that info probably of only one server in which you were with the guy that sent you the link.
Two wrongs in this message. Firstly, the Discord token does not expire until you change your password or change two-factor authentication settings. Secondly, you are able to access the full account, it's very simple to log into an account using the token. Don't spread false security tips, it helps no one
LOL, how ironic that hackers are stealing discord tokens, yet they couldnt be bothered to update their version of nginx (which is old and very insecure)
Idea: use python / Java scripts to spam send http requests with BS tokens to make it so they have to check each
Hawks media just sues meta tags to make it redirect to a different site.
Coool, I
how is discord so shitty that there are 392829 ways to get a totally well protected and hidden token that can access your entire account
What one could do in case of these dead ends mentioned in the video, it is always possible to look where the servers are hosted and what they are doing with them. ping, traceroute and nmap are your friends.
How the hell does a junior developer like myself understand how to prevent xss better than discord. This honestly screams of gross negligence and laziness
Even if you prevented it, sometimes xss prevention itself is a flaw, there are nearly infinite ways where a input can be sanitized, it’s a even in a good system, it’s a matter of time where it’s bound to happen
Wow I was wondering all the warnings saying not to click links lmao
Mean, if NFT bros mainly got hit guess congrats.
I was planning to use discord login built into opera gx to use alt account from the main program, but this seems like such a big security flaw now
I was around the hacking space when this vulnerability was found. My friend tested it on me and we thought it was a cool little gimmick but nothing worth using against anyone except enemies. That was 6 years ago I believe, if it’s really been this long and they haven’t patched it, that’s extremely sad. Honestly a low level exploit as well.
i feel so bad for the people who had their accounts stolen but holy fuck is that funny lmao. It's such an easy thing to fix and I don't know how it's ever a thing in 2022