Discord is Dangerous Because of this Feature!
HTML-код
- Опубликовано: 16 июн 2024
- What if I told you there was a single Discord feature that is holding up a large portion of the malicious communities that fester in the dark side of Discord?
Well I aint lying boyo. There is a discord feature that I absolutely despise. It allows scammers to keep you trapped in a Discord server. It allows scammers to scam you even further. And finally it provides a safety net if the scammer's server gets terminated by Discord.
Discord I make some pretty decent points in this thang, just remove the feature please.
SOCIALS
-----------------------------------------------------------------------------
Discord Server
/ discord
Twitter
/ notexttospeech
TIMESTAMPS
-----------------------------------------------------------------------------
00:00 - Fueling the Discord dumpster fire
00:17 - What is the dark side of Discord?
02:22 - Why Verify?
04:00 - Restorecord
06:18 - Remove authorized apps
06:42 - Discord won't do anything... - Наука
In Discord, you'll always find a person who fell for the most obvious and silly scam immaginable like if it was unbeknownst to them.
Yes true.
Cat
my dumbass friend fell for one of those exremely obvious stupid steam scams... on discord. i gotta go remind him of that again.
@@RanDoom_Guy21 So did i though he was saying shit about CSGO even though i've never played it in my life
my sister fell for one 💀
Even if i have an issue with a bot, I sure as HELL don't wanna get dragged into the support server without actually WANTING to go there, I would be so mad
definitely.
I also get super pissed when an app for example forces me to do an update or otherwise it won't work. I usually send them to the place they belong to, the garbage can.
it's about principals.
Settings > Authorised Apps > Remove App that says “Join servers for you”
@@Mohammed.AlamineGuess what, Discord does that to Linux users, because they can't be bothered to wait until the linux repos get updated
@@totoshampoin I never liked discord tbh.
I'm banned from the support server for mee6 lmaoo
Please Discord don't remove this, I love getting forcefully put into an anime server everytime I try to leave.
Same
Patreon is the only bot what would ever need to have this
😅
I think it's really funny because I've heard streamers be apologetic about Patreon forcing patrons to join their discord. So even they dislike the "feature"
Seriously lol. Like just pop up the join page when someone signs up for their patreon and then have the link always accessible after that. That would be just fine, no need for forced joins
r u single tho?
@@Tactical_Nuke0you're not?
LOL, honestly, there are obvious ways to have a Patreon-reserved server without the goddamn kidnapping permission... 😂
im single@@gabomon08slayerofdragons
Bro, scammers are shivering their timbers with this one 💀
bro scammers suck dick
💀
ok now lets get this to the 🔝
@@Freegame4. fr
Scaaaryy ooh I shiver my timbers
There should be "join servers for you" yes but instead you're prompted to join the server like when you click on invites, instead of getting inside it automatically.
They can rename it to "Invite you to servers" instead
That won't get rid of the problem.
@@BapllAtleast it will minimise it
Or a big red warning that "This bot can join servers for you. This is frequently used in scams, but can have legitimate uses. Please continue with caution!"
then you would get "MFA fatigue" like attacks (MFA is a another name for 2fa or multi factor authentication)
where you just spam the user with requests to do something and evenualy to get it to stop, will confirm that action (like joining a scam server)
Discord never fails to disappoint us
lmao yes
FAX
More like tic tok
Why can't I see something disappointing from discord? Like I usually just chat and nothing really happens next.
u single?
I love how the malicious server had a ''prevent scams'' channel
I'm a (former?) bot developer, and while I didn't consider how widespread the malicious use of that permission would be, I did see "Join Servers for you" permission and immediately have an idea on how to use it. Since bot authorization happens through the OAuth2 flow, and your browser directly submits the bearer token to the app through a web API, the app/bot can know your IP address and other information associated with you. Using this I considered building a sort of user reputation system to replace the traditional invite system. Then by using the Join servers permission, server owners could forego the Create Invite permission and rely on the bot to filter out users associated with bot activity (such as automated raids). Unfortunately I didn't want to spend money on a server to host my bot somewhere where it wouldn't leak my IP, so I never tried to implement the bot. For servers that wish to forego the traditional server invite system though, I can see developers making a legitimate use for it.
I agree with everything in this video
If I put this in any other way, it would be just a gigantic wall of text.
Honestly, it would be so much easier if discord just gave people the ability to deny/allow certain permissions like how they do when you add a bot
That would be one of best possible ways out of this, actually, yes.
now finally discord bots can bake a cake for you lmao
I wanna have an existential crisis
The solution here is for the bot to only be able to ask to join servers for you, with an option on that same page to immediately unauthorize the bot. This would allow discord's precious services like the patreon bot to exist while making it impossible to spam the user with invite requests.
pls be single
yeah i was thinking the same thing. It's just a basic UX issue
@@Tactical_Nuke0You put that under a lot of comments and it shows...
dont even worry about it@@erikkonstas
@@Tactical_Nuke0bro is DOWN BAD💀
they will never remove this, they are willingly keeping this around, they want their platform to be unsafe
The only bot that should have this is patreon
and even for that it could be reduced to a "join server?" popup instead of letting any service automatically join a server for you
@@CatBot007 exactly they should put this permission behind some strong verification to allow only trusted bots to use it
I actually hate that Patreon Bot pulls you into a server because I don't want to be in every server I support creators for. Some I do, but others I really don't.
This is the aspect of No Text To Speech that we all love, i told him about "4invites=nitro", and as we can see he make a video and warned yall.
He deserves more than 500k.
ntts has a talent of making people watch his entire video without skipping a single bit
or is it just me
no way its rocky from blap slattles
anyways i agree
just you
i didnt expaect to watch the whole thing
Its probably the way he talks and edits
I really really really REALLY hate how Discord's "scan QR to log in" feature doesn't have *any* mention of logging in until *after* the QR is scanned. The button to start the process is just called "scan QR code". I can easily see someone thinking that's a very non-risky button.
Yeah, I always found that pretty dumb and just weird.
It does have a prompt after u scan it where u press a button that specifically says log in and also red text warning u about what it actually does so yeah
scammers fear this man
yea
😮
It’s true😊
yes they fear him
Discord can’t remove something detrimental to the service, because they’re too busy making changes we don’t like
The worst part about this (and how I lost my Discord account too), if you're in a bad server that you can't leave, well, it's fine right? You just ignore it.
No, no you don't. If you're in a server that gets deleted by Discord, there's a high chance ALL members get banned from Discord.
I suffered from this, it's rough, it's just stupid.
I don't even understand why this permission exists? Why should bots be able to join servers for you ?
literally
bots be able to "join servers for you" it's obvious, but imagine having the patreon perks and you get added to the server it's for a purpose 😤😤😒
@@nonameguy155 I mean, if you took the time to subscribe to someone on Patreon, why couldn't you take the time to click on their server invite link after?
@@LogandiSFMI guess the invite link can be easily leaked but then the server could just get a verification system
I don't know
Or if they don't want to get rid of the join servers for you option, let the user have a choice, let the user click the permission, not let it be in the hands of the bot dev.
yea like selecting which servers your ok with it bringing you into. I also saw in another comment to give the prompt to join it or not so a combination with those two would stop most scams. If you REALLY wanted the patron bot to be unaffected then you could manually make it so it can join all servers for you with the prompt of course.
There’s a lot of things that this is good for, but they really could just use to lock it down. For most legitimate uses you’d only really have a user join one server. If you leave a server that you joined via this method it should revoke access to that integration.
No need to go full blown nuclear and remove it.
Yep. Outright removing something is not the way to go. Try to make it actually safe somehow, for one instead.
My Discord server has got hacked but I used restorecord so I was able to pull back all of the members to the new server
As a developer trying to connect my community via Patreon and Discord, I can say that this whole system is completely unreliable, messy, and a nightmare to work with. Patreon needs to get their shit together and integrate into Discord like Twitch and RUclips do instead of using the "Join server for you" crutch.
I agree entirely. I was shocked to see they give that to developers at all… it’s insane. There are no limits to how many servers they can join you to, and it’s 99% used for propagating scams. Thank you for making this video! I understand they wanna allow good developers to auto join you to servers from server search sites to reduce friction, but that’s something they should manually whitelist/approve for (if they keep the feature at all).
I'm pretty sure that a good dev would be OK with asking you for consent instead of abducting you...
it has use cases!
@@griffinLIVE Such as?
How is it insane to let USERS decide if they want to let a bot do something for them...
Are you actually ok
@@erikkonstasthe bot literally asks for a premission when you authorize it
Considering Discord's Twitch integration gives the "join" buttons for streamers' servers that you're subscribed to in its connection view, I see no reason why they can't do a similar thing with Patreon. Unless Patreon can't or won't provide that information via API call (which would be a bit silly if true.)
They could limit the join servers for you permission, make it a one-time use only so it can only make you join 1 Server
That's a more reasonable solution. Removing the feature completely would be like Nuking an entire town just to get rid of a plague.
Except depending on how fatal the plague is, it might actually be a good choice@@harryhack91
it should honestly only suggest a server for you to join tbh
yeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa@@thatoneannoyingtornadosire8755
The staff who have to watch his videos: 😢
CONGRATS ON 500K!! I REMEMBER WATCHING U WHEN U HAD 100K OMG
That fact RUclips demonetized a informative video on things to be careful on discord about
Those 2 valid use cases could be done by just having a parma link to the discord server. To get rid of the permission that causes so much trouble will be worth it. Unsure how to get a discord server perma link but i do know it is a thing.
You mean a permanent invite link? Iirc there's a button that lets you choose how long the link takes to expire
@@brrrrrr yeah that is what i mean i was hoping it could be just a permant link to your server but maybe not. Never tried but it would be a good feature to replace the permission with so the users do not get joined to servers they do not want to be in.
@@yumri4 yeah you can just click unlimited when making a link that’s what they’re saying
@@yumri4 That's how the invite system already works. You can set the link to never expire.
@@Icarus-13 i know thus why i do not get why not just get rid of the permission and have the few cases it has valid uses for could just use that.
It’s very hard to moderate thousands of servers at the same time. We will suspend and terminate any account that breaks our Terms of service if reported via email, telegram or elsewhere. Anyone can put their server in the “Discovery” if they pay for the subscription
no one cares L
3:49 bro lives in spongebobs house 💀💀
Some kind persons sell their logs of users from those "Join servers for you" bots like Restorecord to more kind persons and it just spreads. If you are verifying a bot to join servers for you, make sure you know and TRUST the admins/owner. Worst case scenario, you can always deauthorize their bot in your user settings.
an even better way of dealing with it is having so only discord can authorize bots using the join servers for you, that way the niche good use cases can keep using it, they just have to verify the permission with discord themselves first. i would say that would be the best way to deal with it
I see your point but we can’t just act like it’s not 80% on people just pressing agree on something without looking into it. The prompt isn’t even long it’s a few lines and in those few lines it tells you what it’s doing “force joining into servers”. Rather you take the feature out or not it doesn’t change that the people that click yes to something that specifically says what it’s gonna do are gonna fall for any other scam. With this logic you could say the QR code quick login feature is more dangerous cause the “cons outweigh the pros”.
real
I love you so much this saved my silly ass for authorising so many bots
You should do a video about the new text highlight feature that allows you to put scam links in seemingly legitimate links. It doesn’t even embed, it just shows blue text.
i love the watery transitions btw
i hate how services like discord have stuff that are mostly used for bad purposes and they still refuse to remove them. this is a lot like the notification permissions in browsers.
this specifically is less like notification perms than automatic download perms for a website
i think the "join server for you" permission should stay but the people that want to activate it have to somehow verify themselves by discord so in case something happens they are liable.
This and the "access your email address" permission are reasons why scams on Discord mainly exist.
The best way to solve this would probably be to make bots that want to use that permission go through verification and state why they NEED it.
Discord needs to do two things.
1. Get rid of the join servers for you permission.
2. Make it so that Restorecord is rendered unusable.
If you have to backup your server because you could lose it all then you are doing something wrong.
I think Discord should add a popup that says Warning! you are giving this bot "Join servers for you" permission
As someone who was selling in the past (boost and nitro) deleting the features won’t help it they will create there own site where if they get banned they will just update the site or they have a backup server linked to a alt account that’s not violating tos so discord is then not yet allowed to remove it.
The only reason i can think of as to why Discord doesn't take the necessary actions against these scammers is because they are getting paid off by said scammers to be left alone.
That's the dumbest thing I've ever heard. I'll still believe it though.
this is so helpful, i was recently just in a scam server it had 1k servers since it was invite and get nitro type server. i've nuked it 2 times (i know its against tos and im sorry but i think its fair against a tos breaking because they also sell ccs which is illegal) well first time they lost 1k members but the time 2nd time they tried to rebuild the server and when i did it again they restored all the members. i just hope ppl become aware against these scam servers and actually do this.
angry merchant shivering in his boots rn
I mean, there are so many ways to fix this without dropping it entierly. What about adding another prompt "Pateron wants to add you to server super-secret. Yes/No" where you can decline and revoke it directly with a "Never" button? Or only allowing KYCed bots to do this? Or giving this permission only for x hours before it is auto-revoked?
What i think should happen is the bot needs to be verified to have certain permissions such as join servers for you and then also allowing people to deny certain permissions before they authorize.
That could potentially work, actually.
There should be a thing in the Leave Server prompt saying "You were added to this server by _____" with a checkbox to remove the connection.
Getting rid of Discord tokens is so important. It is LITERALLY the MOST insecure shit in the universe.
I love how you made that evil discord logo.
this permission literally has no purpose other than allowing bad actors do whatever god they want. unsure if this will be removed or not.
1:51 I personally hurt inside when you said Spore, the game is called ARK: Survival Evolved, any screenshots from it are super easy to recognize for me since I have so many hours on it
The thing that'll help Join servers for you that won't make it get deleted as permission is giving us a popup asking if we want to join the server
The join servers permission should work in the same way as privileged intents or the new IP address permission to try and reduce the misuse of it
the weird thing is, the official patreon bot has "join servers for you" as well
When I was new to discord, I did fell for ones of those free nitro bot scams, but what it actually did was add a bot to my server, and made it so that my dm's get spammed by invites to ''18+'' servers non stop. But after some time and blocking those bots, it stopped. Nothing else happened after wards. And I also could freely remove that bot from my server.
There's generally 1 common theme between these bots: they're not verified. Why not just disable access to the "join servers for you" permission for UNVERIFIED bots, all verified bots can access them (so the pretty much legit ones) and the scammers are left with nothing
ruclips.net/video/nfudlY_RV9g/видео.html&pp=ygUcbnR0cyBjYW4ndCBsZWF2ZSB0aGlzIHNlcnZlcg%3D%3D
There's a lot they could do to curb abuse without removing the feature entirely.
- Show a popup to the user "Application X made you join server Y, are you cool with this? [Yes/No]"
- Make bot authors list the servers they want to force users into, show this list when it asks you for permission, and disallow any servers you didn't approve ahead of time
Both are good ideas but for first one, when you say "no, I am not cool with this", it removes the permission for the bot to join more servers for you on your end, like your Discord client.
That would have been a really good segway into Bitwarden.
the NSFW server you showed I have seen more than one users get hacked from
Join Servers for You is great for gameserver communities, and removing this would break many discord reward system integrated into many gameservers.
Something needs to change, but removing this probably isnt the solution.
Since 2016 or so, Facebook requires developers to submit an approval request including a screen recording demoing the functionality to use easily-abused API permissions. The process is just frustrating enough to filter out a lot of malicious apps. At bare minimum, Discord should institute a similar policy.
i actually once had a bot that had join servers for you on it, and i kept being pulled into a spam server and i got banned for discord thinking i was a spam " bot " and then i found out what did it and i never used bots with join servers again
had to learn it the hard way T-T
Instead of removing the permission, They could require a bot verification for that permission with periodic audits as the niche use cases are so small it wouldn't be that hard to maintain. You would have to white list a bot with limited list of emails that can test the bot to prevent creating a bunch of testing bots to circumvent certification. It would also only allow you to use that permission on a single bot. And you would required to verify your ID and identity to create a bot with that permission or any bot in general.
except, your own bot should be allowed to join servers for you
This would be good if Discord was not way too lazy to do this
@@integre23 there are literally companies that you can outsource ID verification to kind of like you can outsource payment processing to stripe. I don't understand why discord can't do this. They wouldn't even need to retain information about your identity just that your identity has been confirmed. And they could identify in the future if you create a new account with that same identity..
I agree; I was thinking maybe it could simply be a privileged intent like a few other intents that applications can have too
@@FairPlay137 that would work, as these only need a few servers for the butz much less to get verified for the thing to work
They could do verifications on that too like they did with the read message permission
That probably wouldn't stop the problem, assuming they copy what they did with the message content intent since until your bot's in 75 servers you can't apply for verification and it's a simple toggle on the dashboard to enable it for bots in < 100 servers. They could however require discord approval like they've done with the other OAuth permissions (mainly the RPC ones) and that may solve the problem, or it may not
1:51 hard to tell but judging by the game itself and the stuff the bot says its ARK, The Island or another "Island" like map, or its just made by them
Main things: Game Player/Survivor
- "Player Level"
- "gcm" or "givecreativemode" which is a notable command to ARK
I hate the patreon bot too. I don't want to auto-join EVERY patreon I join, only some of them at most.
I actually use it for my linking system on minecraft. Basically te only thing it does is that if your not in the discord and directly link yourself you get pulled onto the server by self.
non-issue. just remove the app from your account once you are done using it [e.g. to verify for a server, get a code, etc]
basic internet usage: if you don't trust something, use it as little as you can, or just avoid it
I gave a bot access to join servers for me and now it joined multiple scam servers and now I have 9 warnings from discord.
Discord will NEVER make us appreciate itself.
that oar joke got me cracked up
im honestly surprised they havent locked this down yet,
theyve been alright locking down bots with message content, presence stuff and something else i cant remember
but yeah
if they don't want to remove it, at least they could limit what apps and bots can have that permission, like disboard, but not give it to anyone, it could lead to the same thing that happens with verified bots, they just change the bot to be malicious
the join server part on cheat servers is because if the discord server gets termed by discord they can just pull you back into a backup server. not really phishing there. but i mean if you got a problem with it just unautherize the bot :shrug:
They got you to click on a link and then grant them some sort of access to your account, it still kind of is phishing. Not to mention if the server got terminated then it violated discords TOS (which cheat servers do)
@@ericwildfong It is your choice to authorize the bot. These servers (and its members) know that it is against TOS. I doub't they will care if they're there to get cheats in the first place. Automatically rejoining servers is convenient in that case instead of finding a new invite somewhere else
just make the intent like message content or guild members, where you have to be approved to use it, that way the very few non harmful ways dont get affected
The permission could be approved by Discord on a case-by-case basis, based upon the owner of the bot's legitimacy based on a number of set rules that scammers would not be able to meet. It is such a niche permission, that may have legitimate uses in the eyes of Discord and if so, this is the appropriate solution.
☠ ya want discord to x100 their workers
I forgot that the majority of discord users cant read
@@elpepep2026 Most bots don't utilize said permission, and if a system is in place to do preliminary checks then it'll cut down the amount of requests that actually get sent to a staff member.
However, it all comes down to one question. Does discord *really* need the permission? They sure as heck do not need scams on their platform, so if they need the permission then requesting approval to use said permission is ideal. If they don't need the permission, remove it.
"what is this feature?"
the text clearly shows what it does 💀
when I saw you put up on screen a QR code screenshot I thought "oh no did he actually, some people are going to scan that just". So I put it through a decoder to see the raw contents of the qr code and its just a link to sub to you. lmao nice
When an Oauth has join servers for you, I just change it to decline.
they dont need to get rid of it. an 10-sec unskippable warning would already be enough. but discord probably wont even do that.
The only reason why "join server for you" should exist is getting into customer discords or other servers
Here is my alternative proposal.
* Apps can only add users in "preview mode". They can no longer add users as actual members.
* How "preview mode" should work is similar to how discoverable servers work: if you press a server in server discovery, you are not joining immediately but you can preview the server before you decide to actually join or not.
* When an app adds a user into a server, the icon of the server shows up in their sidebar, with a visual indicator like bot icon on it to show that the server is added by an app, until the user actually joins it.
* Hovering the mouse over the server icon also shows which app added the server.
* Do not allow apps suddenly show a consent popup. Prevents disrupting the flow while a user is e. g. writing a message, and spamming the popup over and over again until they join.
* A notification should be also sent to make the user aware, but an app should not be able to send a notification twice for the same server until they decide.
* When a user presses the icon of a server in "preview mode", a consent popup should show to let them decide. This popup should have the following options:
1. Option to join the server
* The user becomes an actual member and the server will no longer be in "preview mode" and be just like other servers they joined.
2. Option to decline to join the server specifically
* If the user declined in this way, the app cannot add them to the same server for an hour.
* The app can still add the user to other servers, and after an hour, the same server again as well.
3. Option to decline and immediately deauthorize the app
* The user can deauthorize the app right in the consent popup, without having to go to User Settings -> Authorized Apps.
* If there are other servers added by this app and still in "preview mode" (i. e. the user did not actually join yet), they will be removed from the sidebar as well.
* Since guilds.join (Join servers for you) OAuth2 scope has been revoked, the app can no longer add the user to any server.
4. Option to report the app for an abuse
* Upon submitting the report, what option 3 does also happen at the same time (deauthorize + remove "preview mode" servers added by app).
5. Option to decide after previewing the server
* The consent popup will close, and the user can reopen it with a button, in a bar at the top or a banner replacing the message input.
This proposal basically repurposes guild.join scope to a kind of "private invite" feature, which lets app developers guarantee that the recipient cannot "give away" an invite link to another user that is never supposed to join, while preventing apps from instantly adding users to servers.
1:50 i love the spore refrence, tho that is most definitely not spore.
Just wait till the scammers see this bro 💀
Why not simply a verification system like with bots? Where verified apps can ask more permissions like joining servers, while regular apps cannot
They should make it so only bots that are chosen by discord staff and are known to not be malicious have the permission
I've been banned for a week now for a false report on my age. The message I was banned for was 2 characters long. They have not replied to my appeal with proof.
I don’t think discord should outright ban it, it should have manual permission from a discord moderator for the join severs for you permission
Yeah the only bot that should have this is Patreon
the last kiss is best
I do love painting happy trees
Is there any other permissions I should be worried about besides the 'join severs permission'?
like 'know what severs you in' or 'Read your member info'???
I dont think they should get rid of the permission entirely but they should make it so the bot can only pull you in verified servers
I once authorized one of these bots, it made me join the same three servers every other day and it only stopped cuz the bot got taken down or smn
If a server uses a bot to _verify_ , leave that server immediately. The only verification you need is the one built in to Discord itself.
Can we get an updated Best Bots video?