Discord Screwed Up… Badly 

Wow... This is a school grade level exploit. Anyone who paid attention to basic website security knows how to prevent this attack. And yet Discord's dev team is so incompetent that it couldn't even prevent something this basic.

The crazy thing is that React (which Discord is built with) literally has XSS protection built into it, meaning the developers had to deliberately go out of their way to make this exploit possible.

They use React and still got an XSS issue?! That's honestly unforgivable.

Why don't we create a script that generates tokens and sends them to all known token saving sites? Fill up their databases and have them be less effective

Fun fact. Changing your password doesn't always work. I actually once got hacked on Discord, and instantly changed my password the moment I knew what had happened. Before the scammer even had a chance to do it themselves. They still got control of my account. Next level tomfoolery indeed.

God, the absolute leveling that this guy does is addicting. This guy feels like one of those parents that would go: "Yeah, school sucks, heres why it sucks-"

This seems to be a monthly thing now. Just don't click links. Simple

I've heard Twitter had a self-retwitting script that works just like this, but that was several years ago. Can't believe this still happens

I’m honestly astounded that in 2022, Discord of all companies managed to accidentally create an XSS exploit.

NTTS is a youtuber I actually like to watch nowadays, even tho its about subjects I don't even know much about or affects me

Discord try not to create a security vulnerability with every new feature challenge (impossible)

Looks like $800K wasn't that much for Discord, they should be again fined

Discord messed up??!?! No way! Impossible!

This is as good as a reminder to everyone to SANITIZE YOUR INPUTS.

Someone, please make this man a Discord Mod. He does figure out more than discord itself.. Hats off man. Love from India

The only vulnerability that's more unforgivable than XSS is SQL injections... That this happened to a big company like Discord is even worse...

there should be (again) in the title 😂

I appreciate you making these videos. I love waiting to get into a MW2 match and watching discords biggest mistakes.

Following this logic, the next exploit is gonna be "someone accidentaly typed 'DROP DATABASE discord' oops"

Thank you for bringing this to light. You’re one of my favorite RU-vidrs

damn bro thats crazy, they only did a minor felony this time?

Thanks for letting us know man, I hope you stay safe out there

Thank you for sharing this important information about the Discord NFT scam link. Your video is helping to educate and protect the community. Keep up the good work in raising awareness about these types of threats

I'm happy that I never fell for this scam because I got a lot of these DMs but I just ignored them.

NTTS, you covered this so well! * I don't feel sorry for the idiots that have a lot of money I guess.

A few years ago a security researcher found an XSS vulnerability in TweetDeck and used it to make the only self retweeting tweet.

Your videos are getting better & better! I follow you since you had 50k subs. Great job!!

I found someone that’s been doing this to get people’s tokens and selling their tokens since the QR code scam, I’ve always thought this was possible but never had a sample to work with like you did, good job man!

Thank you NTTS for a birthday gift that is this video

my face when discord's website is vulnerable to the simplest Cross site scripting imaginable.

As someone that is still learning web development, this stuff kinda scares me. My knowledge on network security as well as vulnerability detection is not that much yet.

Hey, I have been watching for a long while, and I only now just realized that I was never subscribed! Your videos have always been recommended to me :)

This is why you gotta set your CSP headers. Even if somebody messed up the actual code itself, a good CSP will stop it from actually doing any harm!

i’m genuinely surprised this was overlooked, literally no validation checks or encoding on the html to make sure that scrips aren’t being executed.. it’s unsurprising coming from discord though

man, the last time I saw such a major and easy xss vulnerability was xss in tweetdeck 8 years ago. and that was just a self-retweeting tweet. such incompetence.

This happened to me. I got offered to be paid to "test" a service or something similar and be invited to a server. I just simply ignored those DMs. They were persistent and would try one or two more times, I still never clicked on them.

Fantastic video to inform us all about it but to be honest if you just stick to the rule of never clicking on any links before asking around or anything is the safest way to go Do not let your curiosity or greed get the better of you as those are usually how you fall for any scams Always ask yourself what could happen or simply why do I have to click on something someone sent me in dm which I have never spoken to before. Always have a certain level of distrust as come on this is the internet unless you know them personally irl you should always that certain level of awareness as anything could happen such as even your best friend on internet for years could turn on you for personal benefits

Im gonna sleep very well tonight knowing that NFT are losing money again

A friend of mine lost his account to this. Luckily we were able to recover it, but it was scary for a while there.

i remember when tweetdeck had a xss self retweeting tweet a long time ago. How so many people don't see this issue with their websites is crazy to me

i didn't even know what this was called but as soon as i saw the html i knew exactly what was going on. like no way did they let you just write html in a text description like that

The moment I hear "This was against NFT groups" I immediately agree with the exploiters

Spectacular analysis. Thank you!

I think what's crazy is that people are just now figuring out about this exploit which has actually been around for nearly 2 years now. Also most of the people hijacking accounts are focusing on people with og or "leets" for username and account age so that they can keep it and or sell it. A "leet" would be a username like root#0001 for example.

brainfart: could people theoretically spam the blueh and/or hawkemedia links with fake/random tokens via scripts to throw some sand in their gearbox? obviously not all from the same IP so it's not as easy for them to filter out. they'd have to figure out if the tokens they collected are actually valid, and i guess would be kinda pissed if 99% aren't lol 🤔

That cherry server really went through a lot of pain mainly thier owner🤣🤣🤣

I've been using that new string type quite a bit lately. It's very useful.

Thanks for the information, Shared in my discord server

To be honest, I'm not even suprised anymore that Discord has another exploit. If they fix one, someone will find another one 😅

This shows how little testing they have. If they'd had more testing, especially for such a simple webpage, this would have never made it to live. Xss is very simple to prevent and, as many people have posted many times before, is very simple to escape a user's input. Apparently Discord doesn't know/follow the "never trust user input" rule. Also, with Discord being as big as it is, you'd think they'd do vulnerability testing that would have told them about this problem long before it got out of dev.

This is why you don't click links. Even if it's from someone you think you know, try to engage them in a conversation (esp if you haven't heard from them in a minute); if they talk different than normal, you know

it’s insane discord never patched this, i literally used it in 5th grade to mess with my friends on websites they made

It is possible to do a lot of input sanitization, CORS policy changes and CSP changes to circumvent a lot of XSS, but in the end you probably won't get everything. Hackers will reverse a site and try to find a bypass to the filter you set in place. It isn't necessarily Discord's fault because it took hackers this long to discover it. It just goes to show that nothing you do as a security researcher and engineer will truly patch a vulnerability fully, but instead just makes it harder for a hacker to exploit it. Discord does have a bug bounty, but if crypto scams will yield more money than the reward money from the bug bounty, it makes more sense for hackers to exploit it rather than responsibly disclosing it.

This is why it's a good idea to use Element instead, Discord just keeps on getting these weird instabilities.

That with the worm is talked about with interview on darknet diarys

What one could do in case of these dead ends mentioned in the video, it is always possible to look where the servers are hosted and what they are doing with them. ping, traceroute and nmap are your friends.

Keep slaying no text to speech

I really hope you get to be a discord mod. You do more than the discord staff at this point. PLEASE LET ME BE YOUR KITTEN 😳😳😳

I was around the hacking space when this vulnerability was found. My friend tested it on me and we thought it was a cool little gimmick but nothing worth using against anyone except enemies. That was 6 years ago I believe, if it’s really been this long and they haven’t patched it, that’s extremely sad. Honestly a low level exploit as well.

That’s really really bad. The fact that this is even a possibility in this day and age is insane

these security exploits are really making guilded look like a feasible option

I can't believe that discord forgot about it! It's legit on the OWASP top 10 web app vulnerabilities. A lot of these big companies forget about web app security 101 and it's sad.

really cool video! can you tell me what explorer do you use? or what theme do you use to make it look that way? i been trying to find a cool browser and yours is really cool.

I actually had my Discord account stolen a while ago - after signing into what I thought was a Discord page. They changed my password (which is how I learned that the account was hijacked). They deleted everything, logged my account into a bunch of random servers, then game my account back. When I contacted Discord, they told me that it was impossible for my account to have been stolen. After I got my account back (no help from Discord on this front, since they insisted that it wasn’t even possible), I asked them if they could tell me where my account was accessed from. I never got a reply back from them. I found out on my own, using Discords own tools, what countries (yes, more than one) my account had been accessed from between the time it was stolen and the time it was “returned”.

This is why I stay logged out in my browsers

So glad I've been sick the last few days

Even I, someone who makes tiny Github websites with no actual security risks, patch XSS. How did Discord forget?

that's crazy. well on the slightly bright side, at least it's fixed now...

You can use burp suite to check what it is doing in detail

Whoa! Some classic XSS just became a 0-day on Discord. How unexpected! 😂

Where's my "I love you bye bye!" 😭best part of your videos.

Funny how I got a discord ad at the start

Wich Browser are you using? It Looks so cool with the rounded edges

You should really look into being a security researcher, great work!

It's stupid that Discord did that, but it is also astounding that redux put the vulnerable code on their website, with only a comment in the snippet saying "hey check this link for security issues", instead of including the two function calls that make it safe. And then I wonder why Discord server side renders/ templates it in there in the first place, js can access the query param itself... Truthfully as a developer I have to say that unfortunately I have had many less than competent colleagues, and combined with pressure and negligence from management that has lead to very similar and worse issues a number of times. These issues don't come out of nowhere.

When i saw the video title i thought: yeah do they actual do good things instead of hurting its users and platform like i have never seen that discord does something good

"Discord messed up server discovery" - i already thought about xss

Your discord token will automatically change within 6-8 hours I think or maybe 12. It doesn't stay the same forever. They can send automated requests using that. But they can't change your password or access the full discord account. Unless they know the Server ID, Channel ID in which they want to send the message in. So they would have that info probably of only one server in which you were with the guy that sent you the link.

I’m amazed this could happen

I'm wondering if that's what happened to me yesterday or something new, cuz someone else was on my account for a bit, but instead of sending links they went into a vc as me and yelled slurs.

Does Discord not have a blue team? It sounds like they don't from the presence of these scams and exploits.

im not a security engineer or anything, but didnt this exact same thing happen with Flash? Like this is one of the most simplest things to avoid.

What did you do to your firefox to make it look like that? the coloration of boxes and lines around the tabs to be specific.

There was a similar /script exploit on twitter a few years back, it wasn't malicious but it easily could have been All it did was as soon as a tweet was loaded, it would automatically make you retweet the heart emoji and anyone who loaded that tweet would also do it

I was planning to use discord login built into opera gx to use alt account from the main program, but this seems like such a big security flaw now

Sucks that it happened, but at least it was a bunch of crypto nerds and not actual human beings

Another day, another scammer heist. On Discord ofcourse!

Stealing a Discord token is incredibly bad. If you lose the token and the recipient has any sort of scripting set up, you can expect to have the entire account stolen inside of 30 seconds. I'd fallen for a phish where I was asked to test a game distributed over Itch. It stole my Discord token from my Discord desktop client, logged me out, and closed the client. And despite having 2FA on my account, I was unable to log back in again, as the token thief managed to strip 2FA AND change the password AND change the email address on it. Without any sort of request for 2FA tokens from my phone or passwords. I'd asked Discord support over Twitter for assistance, and they'd reverted the email address back to mine... but presumably the token never got reset or the token stealer was still running on my machine, because it was stolen and yanked away from me yet again. And yes, I was a paying Nitro user with saved payment information. Thankfully, because I paid via PayPal, I was able to tell PayPal to never send any money toward Discord and saved myself ~US$150 of fraudulent purchases.

I like how they're just using a default nginx forbiden page like "damn this is so easy we dont even need to make it look like its not a scam!"

Sometimes, it's the implementation of XSS prevention which is vulnerable. There was evidence of existing XSS prevention in the audit that was made. Don't flame them too hard.

the light mod thumbnail BRUHHH

are those coloured tab groups a chrome plugin on is that a build in feature of chrome?

The junior developer who wrote that: oops.. 👀

This is why sensitive information is better saved in cookies instead of in session. This info isn't accessible by scripts if you are using HTTP-only cookies

I'm sorry but I really like the "I spy a scam" etc. buttons where your tabs are, is it like a chrome extension or something?

Wow I was wondering all the warnings saying not to click links lmao

Why does the outro always catch me off guard?

the thing is, how are you supposed to know theirs a volubility in something intill it gets found?

i feel so bad for the people who had their accounts stolen but holy fuck is that funny lmao. It's such an easy thing to fix and I don't know how it's ever a thing in 2022

Wait, they hold the session token in the local storage? Did they made this with some random ass tutorial on the internet?