Hacking a Discord Server With a Link!

Просмотров 243 тыс.

% 8 838

My greatest fear has been unlocked...
Discord scams, hacks, and vulnerabilities are usually pretty scary for everyday people. But as a chronically online Discord mod, these things don't scare me anymore. I thought I saw every single Discord scam and knew how to avoid them.
But clicking on a link and having my Discord server ruined within a minute. Whether it be Carl bot sending a scam message, Dyno doing an admin giveaway, or Maki deciding that everyone gets admin, this destruction is all caused by vising a website.
So maybe, just maybe, think twice before clicking a link on Discord.
LINKS
-----------------------------------------------------------------------------
xyzeva's socials
kibty.town/
github.com/xyzeva
SOCIALS
-----------------------------------------------------------------------------
Discord Server
discord.gg/B46HXK5fZm
Twitter
notexttospeech
Music
-----------------------------------------------------------------------------
Shrimpnose - Memories of When.... chll.to/8b308c14
Aviino - Two Thousand Miles chll.to/4a50df88
Philanthrope, mommy - Growing Through The Cracks chll.to/b4e8f2c5
TIMESTAMPS
-----------------------------------------------------------------------------
00:00 - Click link = hacked server
00:26 - Carl bot scamming
01:35 - How the vulnerability works
03:10 - Dyno's admin giveaway
04:34 - Maki's admin for everyone!
05:50 - Happy ending :)

Наука

Опубликовано:

1 янв 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 455

@destroy_0001 7 месяцев назад

Developer of Carl-bot here, we fixed this as soon as we were notified about it. So this isn't possible anymore! Thanks Eva and Ntts for bringing this to our attention!

@AyaanThe0ne 7 месяцев назад

W comment

@omega_omega 7 месяцев назад

Hip hip HOORAY!

@shin_ind 7 месяцев назад

W developer

@AquaQuokka 7 месяцев назад

Are you guys still using Pycord?

@nenkinat 7 месяцев назад

ratio

@AquaQuokka 7 месяцев назад

Eva is straight-up shredding through vulnerabilities, would be nice if we had people as good as her at Discord and the teams making insecure bots.

@pootispiker2866 7 месяцев назад

She probably wouldn't be allowed to do anything

@FO0TMinecraftPVP 7 месяцев назад

He has pronouns in his bio so it's most likely a guy in his phase playing pretend but yeah he's really good at finding vulnerabilities, I can respect that.

@DaBlincx 7 месяцев назад

@@FO0TMinecraftPVP why do you care if she has pronouns in her bio, why does that matter? get a life and complain elsewhere

@pootispiker2866 7 месяцев назад

@@FO0TMinecraftPVP Bro gets zero bitches

@AveriV1 7 месяцев назад

@@FO0TMinecraftPVP have you seen ur youtube channel lol

@MakiDiscord 7 месяцев назад

We have patched this issue within the hour after we were notified. This vulnerability made it possible to toggle a module, giving someone admin wasn't possible unless a server administrator manually and knowingly set a role with administror permissions as an automatic role. Thanks you, Eva! 👍

@solaris_dev 7 месяцев назад

hello MakiBot, I use you in my Discord server.

@Powertampa 7 месяцев назад

Good, now pay her and then buy a book on basic network security

@nanopi 7 месяцев назад

W dev response

@DrEggCake 7 месяцев назад

Thanks for fixing this as soon as possible and saving thousands of discord servers

@acpisux 7 месяцев назад

buy a book about or ask ltt how tf are their servers are good at securing threats

@DespondentFraud 7 месяцев назад

no text to speech always makes our toes wiggle in excitement whenever a new video drops❤

@Seago16 7 месяцев назад

facts

@crebz 7 месяцев назад

Proof? 😭😏😂

@ReeeMonke 7 месяцев назад

OH MY GOD DESPONDENTFRAUD I LOVE YOUR VIDS PLEASE NOTICE ME

@shivamguchhait 7 месяцев назад

@@ReeeMonkewhen ur fan has more subs.

@DespondentFraud 7 месяцев назад

@@ReeeMonke what videos?

@inkcloudss 7 месяцев назад

Been loving the ntts x Eva collab videos.

@FriedMonkey362 7 месяцев назад

As a web developper thats like the first few things you learn, how do people still make these mistakes, especially in these big bot websites

@launay98 7 месяцев назад

Many learn to code on their own and have no knowledge of cybersecurity 🤷‍♂

@DrEggCake 7 месяцев назад

@@launay98 thats why all developers should do network security courses

@MartimAlt 7 месяцев назад

i love how the editor included that one isaacwhy video where 2 people got higher roles by exploiting dyno, good reference!

@LunarPriestessYT 7 месяцев назад

Of course NTTS has a God role for himself in his discord server

@RedstonetemmieGD-real 7 месяцев назад

Let's be real, most owners have a stupid over the top role like God, I've got empress and my friend has just "Literally the most powerful being"

@VillagerGOAT 7 месяцев назад

Let's Be real, most kids have a stupid 2 words after their name called "YT" in the RU-vid itself use it somewhere else because everyone knows this is RU-vid and people use "YT" to tell others that you're a RU-vidr in other platforms , games ect.

@RedstonetemmieGD-real 7 месяцев назад

@@VillagerGOAT I never understood that myself

@VillagerGOAT 7 месяцев назад

thats so real @@RedstonetemmieGD-real

@silent96024 6 месяцев назад

@@VillagerGOAT "erm, it's actually 2 letters" 🤓 jokes aside, this is true.

@neofos 7 месяцев назад

Now my new ultimate goal is to build a Discord service that NTTS' new e-girl won't be able to hack. Jokes aside, thanks to both of you for finding and pointing out these. You help making Discord a little bit better.

@Infisrael 7 месяцев назад

Welcome back, hope you have a great break and happy new years everybody!

@majsing_xd1032 6 месяцев назад

4:29 this had me ROLLING 😭🙏

@zephyspeed 3 месяца назад

i hope he explained it to her after 😭

@madara_thegoat 12 дней назад

same

@kmcat 7 месяцев назад

You need to do a video to assigning bots the minimum amount of permissions (Least privilege). I see too many bots asking for basically server admin.

@codrutx 7 месяцев назад

If every POST request needs a authorization token, CSRF would not work, and that's the best way to make sure 3rd party sites cannot use a API without proper authorization.

@saiv46 7 месяцев назад

Or better - do NOT make these API methods in first place

@codrutx 7 месяцев назад

@@saiv46 Well then, the web portal would not work even from the official site.

@2fas_lol 7 месяцев назад

yo thanks for coming back! we missed u

@retrogamerfoxxie 7 месяцев назад

XYZ Eva appearing in another vid is a good sign!

@1338bubble 7 месяцев назад

the crazy thing is the specific vulnerability that Eva has been finding arnt advanced at all. they’re quite simple actually, discord needs to fix their security

@MasterCraft_48 7 месяцев назад

It's not Discord that is responsible for APIs. You might argue that Discord should look into big bots but mee6 should have been taken down ages ago if they did such.

@1338bubble 7 месяцев назад

@@MasterCraft_48 it’s a discord CRSF or XSS vulnerability.

@SmilerRyanYT 7 месяцев назад

The thing is, its just so easy for someone to get tricked into changing a setting with this, and it's literally just as simple as denying direct access to the page.

@1338bubble 7 месяцев назад

@@SmilerRyanYT yep

@spline5243 7 месяцев назад

not discord's fault, the bot developer's fault.

@Reclinesmc 7 месяцев назад

Amazing video as always

@normalguy21740 7 месяцев назад

Can you do a video on LastFMRichPresence in Vencord plugins on how to use or activate and explain what does it do? thanks!

@ArachmadiPutra 7 месяцев назад

HAA! im managing ~30 servers with all automod and embeds are using Carl. I felt so annoyed lately, because carl shorten their cookies timeout which is led to re-login with Discord. But here's the annoying part, you can still access the inside of dashboard even your session end, you can refresh the page and you still inside, but once you save your changes, you'll be redirected to Carl login page, which absolutely lost the last work you've made before.

@BabanDlh 7 месяцев назад

Happy new year NTTS

@Kenishura 6 месяцев назад

yo chat, the hangout chat social chill, still up there lesgo

@rebok232 7 месяцев назад

Thanks for creating this video, i didn't realize that that exploit was a thing and how it worked. Now i know that when making an api that uses cookies to authenticate, to require putting a header. So when browser redirects you to the api page, the api knows the request isn't from the frontend. And if an external site does a request with this header, the browser wouldn't allow it to access the cookies, making it safe.

@_hard_shutdown7237 7 месяцев назад

even from a frontend, your requests should be using an Authorization header using something like a JWT. no links can make it send that header. Additionally, check the Referrer header. If it's not your website, you can block and have your API return an error or redirect to a warning page (might be smarter)

@SmilerRyanYT 7 месяцев назад

A simple no referrer redirect to the homepage would probably be good enough. Easy for developers to keep the thing as is (they just add a referrer in) and for direct clicks outside of their own website would be blocked.

@rebok232 7 месяцев назад

@@SmilerRyanYT the easiest way, is for your api endpoints to don't use GET, so the browser can't load them from the url bar, and you can't redirect to page not leading to GET

@_hard_shutdown7237 7 месяцев назад

@@SmilerRyanYT yeah, but having a warning page would be good too. that way they know they almost got tricked, and are able to report things as needed, and prevent them doing it again

@WindowsDaily 7 месяцев назад

@@rebok232that would help but on its own not stop anything. Anyone could still make a redirect page that just sends a POST request.

@RTOmega 7 месяцев назад

Eva about to get Bug Hunter Supreme badge:

@bill.zhanxg 7 месяцев назад

Eva should become a security engineer instead of finding random discord bot bugs lol

@Vinicius.Cavallari 7 месяцев назад

Hey,i know its a off topic question,but what vpn should i use? You are the only one I actually trust on internet topics,pls help me if possible:)

@Mizuryryn 7 месяцев назад

*NFT* truly stands for *NOT* *FOR* *TRADE*

@Mihacappy 6 месяцев назад

"What the fuck is wrong with you" "Kaboom! Worked like a charm!"

@varram3488 7 месяцев назад

no cors implementation on these websites is crazy 💀💀💀💀. Its literally a 2 second thing that you need to add that will tell google chrome (or whatever browser) to not allow requests to be made from other websites.

@Skeetawn2ndacc 7 месяцев назад

Is Eva the genius of the century ?

@_tr11 7 месяцев назад

Most bots require a token in an authorization header, so don't worry too much.

@jaarva_ 7 месяцев назад

"success":true is json which is often used by api's to give out data or in this case signify a successful operation

@Jordan-xy9hs 7 месяцев назад

no shit sherlock

@stevenn110 7 месяцев назад

What great timing, i just got a webcam and you claim to be able to see through it...

@yourtypicaldumaas9052 7 месяцев назад

At this point you should just give your channel to eva since they do all the work. Im jk amazing video keep up the good work

@AlexLexusOfficial 7 месяцев назад

The next step for Eva is to find a bug that allows you to log in Discord staff's accounts.

@Nerdy1729 6 месяцев назад

or find a bug that allows you to delete discord from existence

@Jack-di3df 7 месяцев назад

Brother uses Vercel, what a GOAT

@abdul333majid 7 месяцев назад

bro this video is so helpful it helped me get to my dream of becoming a black man

@akfaai 7 месяцев назад

lol

@domodiak 7 месяцев назад

Some frameworks come with csrf protection built-in, what were those bots using? bruh

@IIDreamy 7 месяцев назад

I really like your videos Your videos is so good Thanks for creating good videos

@Powertampa 7 месяцев назад

csrf is what, page 3 of how to secure your public api. Good lord that's bad

@Wolfs_Army_Roleplay 7 месяцев назад

I know, these kids that click links ruin my time on discord. Not to forget these idiots who even send these links.

@_MODIZEN_ 6 месяцев назад

We fixed this issue too by just thinking about it

@kpop_lover9534 Месяц назад

Hi, I was hacked today and lost my account do you think it’s possible to get it back?

@OctoLinkYT 7 месяцев назад

Wow, love this stuff

@Mor9462 6 месяцев назад

Does anyone know website to illegal to software servers so I can hack them

@capfish0140 7 месяцев назад

Eva in every video now 🙏

@rando521 7 месяцев назад

i read the url its csrf as a dev i ignore it for projects with my friends but an public site needs to take care of it id say its one of the major 3 vulnerabilities in computer science and almost any dev knows about it.

@kmcat 7 месяцев назад

It's not even on the OWASP top 10 anymore, is so easy to prevent. Maybe you could says it security misconfiguration - as it can be prevent by a CORS header*

@NCubss 7 месяцев назад

The reason why it worked is because it does no authentication in the request really, I assume it checks your cookies for a dashboard token and just uses that to authenticate you, which is not secure because any website can send the request out for you without the website knowing any of your credentials to the dashboard. Discord and other platforms force you to put your account token in the request header so it can authenticate you. That prevents websites from sending requests to do stuff in Discord without you even knowing.

@kmcat 7 месяцев назад

@@NCubss You are almost right. When you make a HTTP request the cookies for the domain are sent in the header. In the case the cookies are what authenticates the request. With CSRF, we are using our own website to make a request to the vulnerable site on behalf of the user. When we made the request to the vulnerable site, the cookies that are already present on the user's browsers are sent in the HTTP request thus authenticate the request. I think Discord get around this by using the local store, which isn't accessible in the HTTP request. - I'll have to have a look on that.

@GateKeeper_Systems 7 месяцев назад

This is why GateKeeper and NaDev will never have a Dashboard. Captcha-bot and the 3 bots in this video all have exploits involving a web dashboard.

@Irilia_neko 7 месяцев назад

I'm sure I've seen that on this channel one week ago, and it was supposed to be already fix 😅

@Case5961 6 месяцев назад

I guess I’m an aggressive pit bull. Because I sure do love children

@keemsta.r 6 месяцев назад

I’m contacting my lawyer

@discussions. 7 месяцев назад

"Could you help me, a smoking hot egirl, with my dyno bot setup? Can I see your setup?" "what the fuck is wrong with you" Nah bro got rejected 😭😭😭😭😭😭

@matopgaming8858 7 месяцев назад

*emotional damage*

@MineONite 7 месяцев назад

I haven’t seen a ntts video since last year

@ThatPlagueDoctor.. 6 месяцев назад

Aw man Carl is my favorite bot

@PokeTroll_YT_BG 7 месяцев назад

Don't click on random links or it might be a rickroll

@DJBendytheFox 7 месяцев назад

I use all three of these bots in my server 💀 What are the odds of that?

@dartheincarnate 7 месяцев назад

I know it might be a not so cool video, but obviously Eva follows somewhat proper responsible disclosure somehow? Maybe a nice video on what that is for any viewers that would find a bug or developers of a bot that dunno what that is would be nice :-)

@I_Love_Learning 7 месяцев назад

He states that the bugs were reported and fixed at both the start and end of the video.

@dartheincarnate 7 месяцев назад

@@I_Love_Learning Yes, Eva and TTS definitely know what it is, same as carlbot devs.. if you actually re-read my comment, you will realize that was not what i was talking about

@I_Love_Learning 7 месяцев назад

@@dartheincarnate I was commenting on your question regarding Eva's disclosure, not about making a video.

@nokorius 7 месяцев назад

hello mr no text to the speech and happy new of the year

@Munkipp 7 месяцев назад

I have a theory, ntts is a discord employee

@Steve_Bloks 13 дней назад

I dint even use links for this i just use it for legit purposes ir ip logging depending on if i like the person

@Shido-kun. 7 месяцев назад

I'm starting to get convinced that NTTS is secretly a bug finder but somehow he doesn't have the badge...

@Drby2 7 месяцев назад

1:36 bro is really watching me, i was just doing that 😧

@fantoroVEVO 7 месяцев назад

fyi: you cant get reported for hosting payloads on github at least afaik

@Rolesional 7 месяцев назад

Hacking a Discord Server With a Link!

@AEGISAOE 7 месяцев назад

1:05 why why u give any bot the @ everyone ping? huh duh

@kmcat 7 месяцев назад

:) I ask the same question, when a bot basically asks for admin. We call it least privilege

@NCubss 7 месяцев назад

Tons of bots ask for you to give them admin permission. But you can change their permissions after

@NEMIZA999 3 месяца назад

If they're patched what is the point of this video I'm trying to actively learn how to that still works

@OccasusRaven 7 месяцев назад

So Eva is basically white hat hacker

@AlexLexusOfficial 7 месяцев назад

Eva is the smartest person on the planet, I'm actually still astonished by the fact that she keeps finding such crazy bugs in such popular Discord bots. Tbh she should get a million dollars for finding such bugs.

@GateKeeper_Systems 7 месяцев назад

If discord paid a bug bounty, im not sure if it would be announced

@x2qo 6 месяцев назад

On the planet? Nah On discord? Maybe?

@FinalRuze 7 месяцев назад

There’s gonna be another vulnerability quite soon.

@hausemaster2b2t 6 месяцев назад

Still works if you load an w/ the src pointing to the target site, LMFAOOO

@FinalRuze 6 месяцев назад

@@hausemaster2b2t lmao

@Chordata7 7 месяцев назад

This just in dont click suspicious links

@budgieboi8979 7 месяцев назад

Dont worry, I plan to click every random link I come across on discord :)

@donthackme2 7 месяцев назад

I love the moment 5:57

@abdul333majid 7 месяцев назад

oh yeah bro same@@donthackme2

@lolyouredumb 6 месяцев назад

Hey, would you mind clicking my "definitely not a malware" link? It'd be nice if you do! 😁

@MagnusMss 7 месяцев назад

Me: the super 999 IQ (definitely not demeaning know-it-all) genius runs the dashboard on a website hosted locally, so it only exists when you want to change something. I click on the link, and the website doesn't exist; nothing happens. (This is an imperfect solution because you need permission on a computer to host the website, so you can't do it from your phone or work PC. And it is only really practical for single custom-built bots.)

@EnBunk 7 месяцев назад

A naked man fears no pickpocket.

@Solinaru 7 месяцев назад

counterpoint: the naked man fears no *ordinary* pickpocket 💀

@Solinaru 7 месяцев назад

"this is the lockpicking lawyer and today I'm going to show you how insecure a rectum is for hiding your valuables "

@Scriptッ 7 месяцев назад

this NTTS guy seems like having good times with Eva

@ReeeMonke 7 месяцев назад

@itsthepossume4457😮

@ReeeMonke 7 месяцев назад

I wish I was eva

@user-den1251 7 месяцев назад

To protect your bot from this attack add csrf token support

@SmilerRyanYT 7 месяцев назад

Either that, or even just block requests with no referrer. if the referrer doesn't exist or isn't the same domain, you can assume it's not an OK request and just show an error.

@lynztx. 7 месяцев назад

NTTS UPLOADED!!!

@haithem8906 7 месяцев назад

cookies created this issue in the first place. its the cookies.

@Milenakos 7 месяцев назад

you can as well say the internet itself created this issue

@wowitsbean 5 месяцев назад

oh yes ntts very good 1:35

@Asleep0 7 месяцев назад

Lmao, amazing how insecure these bots are.

@emptycloth19555 Месяц назад

5:45 as member of some e-girlfriend hang out server IT'S POINTLESS GO MAKE REAL LIFE GIRLFRIEND OR FRIENDS AND GO TOUCH SOME GRASS

@kanapuro 7 месяцев назад

is carlbot safe?? i use it on my server D:

@duchicipi 7 месяцев назад

NTTS da goat

@99u99 7 месяцев назад

In my opinion, bots should not have a web panel... or it could be just for Bot Developer.

@ericwildfong 7 месяцев назад

Even if it's just for the dev it could still have vulnerabilities, and as ntts showed in a previous video if not properly secured can be even more dangerous. If bots didn't have a web panel how would you configure them then?

@Jordan-xy9hs 7 месяцев назад

@@ericwildfong through the discord bot's slash commands 😱

@ericwildfong 7 месяцев назад

@@Jordan-xy9hs I mean yeah discord's bot interactions have improved in recent years, with the addition of slash commands. But depending on how complex the configuration is slash commands may not cut it, and you also gotta remember pretty much all of these big bots existed before discord even added slash commands to the platform

@Jordan-xy9hs 6 месяцев назад

@@ericwildfong who cares about before slash commands, we don’t do that anymore in my experience ive never had issues setting up a bot with only the slash commands

@ericwildfong 6 месяцев назад

@@Jordan-xy9hs Just cause "we don't do that anymore" doesn't mean it was easy to do complicated configuration using chat commands before slash commands were introduced. In fact slash commands were introduced and made the primary way for bot interaction both for user privacy, but also to make bots more accessible to non-technical users of the platform. Web-based dashboards were a user-friendly way to allow bot configuration without needing complicated command syntax. Web dashboards also aren't unique to discord bots, Nightbot, Streamlabs, Streamelements, etc. also all have web dashboards. And while you can use slash commands now a lot of the bigger bots still have their dashboards because people have come to depend on them, and it can be a lot of work to migrate them to slash commands. Not to mention it's easier to design things like embeds when it's laid out on screen like it'll appear in discord vs in a slash command.

@larry2kYTalt 7 месяцев назад

dont worry, i have a chromebook so it prevents this. also prevents exe files from opening. and im a hacker.

@papaguro 6 месяцев назад

dude i have fallen for a steam gift card scam maybe you can talk about this bassicly a dude on discord send free gift card, obviusly a scam, but ut send you to the official steam site i can litteraly go to home of steam, then you log in and voila scammer has all steam information(don't know if this is recent or not, also appolegiez for my bad english)

@yamahadx7synthesiser 6 месяцев назад

is it by any chance, the "Is this your Steam sccount?" message?

@NAGATO826 7 месяцев назад

can you make video of hacking acc discord with link discord server

@giannispasterio6652 7 месяцев назад

Do you check emails?

@Rashestplace606 6 месяцев назад

Real hacker man 😩

@user-qj7lp9xc6i 7 месяцев назад

if you become bad man you will broken all

@brurmonemt 7 месяцев назад

happy new year ntts

@Unknow680 6 месяцев назад

4:30 hopeful they forgive you if it was real user.

@genericname957 7 месяцев назад

Why do you sneak cobra into every video

@onezedmusic 6 месяцев назад

delete this video before the hangout representatives take a legal action please

@TechnoSC_ 7 месяцев назад

we need to ship NTTS and Eva

@tribble_omg 7 месяцев назад

@iwasneverjoebiden 7 месяцев назад

Eva is the real hero, NTTS is the middle-man

@ThatNathDude 7 месяцев назад

0:00 you can't tell me what to do!

@BruhRlyy 7 месяцев назад

insanity

@yumikothecutie4786 7 месяцев назад

btw, did you know? you used the word "kaputt" in this video. do you know that it actually originates from the German Language? "kaputt" is the german word for that something is "broken". like, "My PC is broken" for example. The more you know~ :3

@NCubss 7 месяцев назад

That's why he said it