I Hacked a Discord Bot, the Owner said this...
HTML-код
- Опубликовано: 11 июн 2024
- A vulnerability was found in the Discord bot, Captcha.bot. And I hacked into the bot and gave myself admin on a Discord server. But when I told the bot owner/developer about this, he said...
Wow I'm a tease. But yessir, it's another video where I talk about the abhorrent security of Discord bots and how easily they can be hacked. And in this case there's a lot of things I get to complain about, from the security of a "security Discord bot" to how the owner responded to me after I disclosed the vulnerability.
And again, massive thank you to xyzeva for finding this vulnerability. They are 2-0 right now.
Also just so we are clear, I hacked into my own test server. I would never cause intentional damage to a Discord server.
LINKS
-----------------------------------------------------------------------------
xyzeva's socials
kibty.town/
github.com/xyzeva
SOCIALS
-----------------------------------------------------------------------------
Discord Server
/ discord
Twitter
/ notexttospeech
TIMESTAMPS
-----------------------------------------------------------------------------
00:00 - The Hack
06:12 - The Damage
08:27 - The Response 
Развлечения
1. Do not harass the bot developer. Yes, he didn't say thank you, but he did fix the issue quickly. Harassing someone because of poor manners aint the move.
2. The vulnerability is patched, please stop asking me how to hack into captcha.bot. I will never make a video on a live vulnerability because some of you are rascals.
and finally, I was told that people are asking other bot devs if their bot is safe and linking this video. That is perfect, that's the goal of these videos. Whether it's a one man team or a big company, people will exploit discord bots and use it to ruin people's communities or scam a bunch of people. And everyone getting a little scared of eva, and double checking the security of their bots, is going to make the community a better place. (Even if it means I have to burn my bridges with bot devs that disagree).
Oh
i hope he learned now atleast to not hardcode his id and to write a good api (there a propably still allot of vulnerabilities)
that's reasonable
Well, the video could still be a clue to another exploit, if such a dumb loophole existed, there are likely many more.
yes
this guy needs a lesson on how to properly protect his API endpoints... hilarious
What do you mean? Checking the locally cached ID in the frontend with no proper backend verification is totally enough. /s
Their sourcemaps are still public, btw (the "Webpack" folder). Either theirs, or their payment/subscription processor
dark is an idiot
As a non coder whats an API?😊
@@TheRealKiRBEYme work wit someone else's application via my own code
How are these bots so hilariously insecure? The fact everything could not only be done so easily but also all within the browser's DEVELOPER TOOLS is a huge problem.
@@VaultCord its the person who created the bot's fault, the website made for his bot has lots of vulnerabilties.
I finally understood why dumbasses politicians wanted at one point to block the inspect page... Wait, no they just are incredibly dumb and if they catch a glimpse of dev tools they will completely loose their mind lmao
@@VaultCordthey do, if only you cared to read the terms of service instead of blaming them for every goddamn thing
well you don't need any proven skills or any signed legal things to create a bot
@@VaultCordIt's the law to disclose data breah, bots' owner not following it (or the ToS) is not Discord fault - but Discord is at fault for not going after them after that through.
Having this little protection is shameful. There is a complete lack of basic security measures...
im literally not a web dev and seeing that js auth code immediately set off alarms
@@toydotgame so if you are not a web dev, don't comment on the matter, authorization headers are completely fine and pretty standard for many applications
@@kibbewaterwhat. for an app like this? Okay
@@kibbewater💀
@@Omega-mr1jg The Auth headers were not the problem, lack of handling them correctly was.
As a full-stack developer I can confirm that this is so amateur and unprofessional, no-one should trust a single product from this developer EVER. Remove captcha bot from your servers rn.
hecker
That's what happens when you just throw everything to the front end. x)
Verification etc. should be done on the backend and be a little more secure than just sending _any_ auth header. It should verify the auth header that it's actually the owner and probably a lot more.
I even have such a login on my website, but you need the right password and username to get logged in and _then_ it just sees "Logged in? Okay, here's your perms!", because I am the only user account there. And eventually I'll replace that with a third-party OAuth login instead of an own one.
this is what happens when someone spends too much time in js land lol
I can't even tell how it'd make it any easier. They clearly know the account to give the server to, so all they have to do is put the if (user is not me) check in there. Sure it can be put in the client side too, but just one line in the server side would have been enough to stop it.
All those recent exploits discovered in bots is why I keep stressing to people to properly setup their servers and not blindly give bots permissions they don't need.
Thank you for bringing light to these exploits, hopefully this pushes people to stop blindly trusting bots and for devs to be more careful with security
ye like who puts checks, security, etc in front-end?
I had a server where bots have different functions, but these bots only had access to the channels they should have access to. For example, no access to #general or #moderation.
@@LiggliluffThat's pretty much how I do it, if it doesn't need to view a specific channel then it's restricted from it, if it only needs to read and not talk it won't have send message permission except for logs channels, etc
#1 advice i can give. Don't use bots. Bots are fully automated without human input when it comes to authentication. The best security you can do, is have active HUMAN staff members in your servers. I get the appeal for bots, but if you bringing them in from a third party, you are literally relinquishing control to someone you dont know if you can trust or not. Weither if the properly took the percautions. So, set up your discord and manage it yourself.
@@ItzPubby I wouldn't say that's a good advice, bots are helpful when used right especially when you have a large server or want to setup something specific, the issue is people are too lazy to set up bot properly and just gives it admin so it does its job, they don't organize their server roles properly, they don't disable bot features they don't need and don't restrict the bot accesses to what it doesn't need, they don't know how to look for the signs that a bot isn't made properly (such as its invite auth link requesting admin perms in any capacity).
Sure if you're running a small server you probably don't need a bot, but they're a good tool and people needs to know better when using said tool.
As a Cybersecurity Student, that was the shitiest security that I have ever seen in my whole life 💀
that means you haven't been in cybersecurity for very long (no offense)
@@turtleparty7241 bro doesn't know how school works
@@turtleparty7241 A year and learning (yes, its not too long imo, doing hackthebox machines rn)
@@turtleparty7241 He said he was a student 🤨
@@turtleparty7241 so someone can easily hack into a bot by using F1 and it's not the shitiest security?
Absolutely disgusting move by the bot owner.
Shut UP !!!!!!!! 😍😍😍😍🥰🤩🤩🤩
@@zikohaha7440npc
@@zikohaha7440 you shut up
@@zikohaha7440 no
Thats messed up
As someone who has dabbled with a bit of bot development here and there on Discord, I have seen so many examples of other developers who think they're too good and too big to acknowledge other people around them - especially when it's criticism or feedback. Not surprised at all that Dark ignored your DM and I can guarantee that had you sent it from your NTTS account he 100% only then would've bothered replying.
I'm not surprised that Dark was unresponsive after you basically saved his bot from destruction and chaos. Every interaction I've had with him (through the Arcane server), he has been cold and narcissistic. I don't know if that's how he actually is IRL, or if he gets a lot of messages per day and can't keep up with them, but he does not seem like a very good person in my opinion. I am glad that he fixed this huge vulnerability, and I can pretty much guarantee that any mention of this in any of the servers he owns will be met with a timeout or something of that sort. I mentioned the word "bot" in the Arcane server and got muted for 5 minutes for "advertising" as he told me.
almost every large bot dev is narcissistic tbh
@@verytuffcat Dark is the only bot developer I have ever directly interacted with, so I can't speak much on that, but I wouldn't be surprised if the reason they seem cold is because they just get an onslaught of friend requests and DM requests. I would imagine it would be stressful to have to deal with all of that. I'm not excusing Dark's actions as he could have at least said thank you, but there might be multiple reasons why he didn't respond other than he's a duchebag. I still think he could be nicer though.
its very easy to turn off those friend request and dms stuff its just their incompetance@@Gandalf_Potter00
@@Gandalf_Potter00influencers and developers get insane dms and friend requests all the time lol, but not all of them are narcissistic. these type of people are just inherently like that, and the fame is just feeding it
@@Gandalf_Potter00 yeah
xyzeva causally finding vulnerability in security bots 💀
sometimes I want people like that to point what's wrong with my stuff out, just to make them a little bit better
@@chevvvv thats what beta releases, etc. are for
@@chevvvv and then there are those companies that sue you for letting them know, even if you just accidentially stumbled upon it...
It's a very amateur mistake so I wouldn't credit too much here, this should have never worked had this been done by someone with more than 1 year of experience.
@@unearthlynarratives_even somelne with 1 month of wxperience shoudn't make this mistake. As soon as you know that anyone can send stuff to your server, you should see how this is shitty security
"am be so so wuh a bo" such wise words from the owner...
It’s something about the word sussy Baka but in reverse
I reversed it and it said amongus sussy baka not kidding reverse the video and you can hear it too
@@Mightypehe said “among us Sussy balls” Lmaooooo 💀💀💀
Whice goat will be the next to be my subcriber🤔
@@BlueYT592 Well i'm not a goat. Maybe the next guy
A hacking tutorial 💀
True💀
Fr 💀
Not really since the video was uploaded after it was patched
We would be doomed if NTTS started his villain arc.
too bad he cant cause all he knows is how to get spoonfed by women
yes. and it does not help that he gets treated like shit (ignored) when helping people.
he's gonna start it someday, if he gonna keep being treated like shit
Xyzeva is gonna be his side kick for sure
he would be the one who ruins every discord sever ever
these recent vulnerability videos have really given me insight on how even the biggest bots can be taken advantage of
LOL forget about bots, or even Discord, try to search how many vulnerabilities people have discovered in the major cloud computing providers (AWS, Azure, etc.).
Take active steps to protect yourself, you cant let other people do it for you. If you want the server safe and to have these types of security you need to go through and do it properly. the best thing you can do, is be as secure as you can from your end.
@@ItzPubby Do you know what you're saying... thing is, bots like Captcha bot have already constructed databases which can help find alts; this is not something you can just "acquire".
@@erikkonstasi honestly wonder how it works tho. can you explain
@@verytuffcat So basically the thing stores a number of IP addresses and other characteristics pertaining to a number of "devices" for every Discord account that goes through it, so if another account shares anything in common it is considered to be a possible alt. Yes, it can have false negatives (e.g. the person changes their public IP address) and false positives (e.g. the person is on a public Wi-Fi).
I don't think I could've resisted the intrusive thoughts tbh. Good on you, dude lol.
xyzeva is a developer on a server Im an admin on lmao
i mean you could have harmless fun, right? don't have to go destructive.
It's people like you who are the reason why problems are only made public after they're fixed...
@@erikkonstas it's a joke not a dick, don't take it so hard.
@@ectothermic Literally nobody thinks you're joking tho.
Once again, thank you for keeping us safe on Discord, NTTS!
Shame Discord don't have an employee to do this.
npc
You're an Npc @@HeadlessStar 😂😝
@@HeadlessStaryou have become the very thing you have set out to destroy!!
npc activity@@SilenceBot
@@HeadlessStar *bot activity
This is the reason I like to troll the help pages on Dark's Discord server. It makes him waste his time on stupid things that takes his precious time off. I feel no remorse for Dark whatsoever
Big W
Glad I never heard of this dumbass bot
lol
Did he just hack it for fun?
Am I misunderstanding? All the dude did was not reply to him. Why harass him?
That is the most pathetic thing I ever seen, like imagine ghosting the guy that help you find a security problem in your code, like imagine this happened again. I'm sure NTTS knows this abt stuff or he knows someone knows this stuff, imagine being so egoistical and risking ur career
Can't say for sure he ghosted him, he only gave him one day to reply. When my dms are full it takes me two weeks to read and reply to them on average
You can always go the middle route: Sell the vulnerabilty but also tell the owner about it
that's big brain time
i wouldnt even bother telling him about this, i would just look how his bot gets destroyed. he's such a looser for not even answering
just sell the vulnerability to him for 1000 dollars
This escalated so quickly.
he dont understand protection LOL
Some servers really are set up horribly, one time, I saw a server where for some reason the owner role, with all perms, was under the member role, which everyone has, and also has perms to manage roles, so if literally anyone looked at the roles, which the member role also has perms for, they could've easily just given themselves owner and destroyed the entire server before the real owner got on.
To be ethical or not to be. As soon as you have a good intention, you literally get shit on by life. Honestly, you shouldn't have given away the exploit without getting a response from him, or a bug-finding contract. This kind of vulnerability should have been rewarded. If I made a bot and such a vulnerability was discovered, not only would I thank the user who found it and didn't abuse it, but I'd also try to pay for it or give away premium benefits.
What a rat.
Translated because i'm not ca or us, just a baguette.
I think NTTS makes a good amount of video legally through YT. Probably why he leaves this stuff for other people to make the choice. But not responding doesn't sound like they tend to pay bug bounties. a good team would have probably offered it.
even ignoring ethics this is just stupid.
if you know you get paid out and don't need to fear legal actions if you point out vulnerabilities, you'll probably do it.
but if you know you will just be ignored but could instead exploit it to make some money, a lot of people wont care about ethics and decide to exploit.
it's just proof for anybody that you'll gain much more from exploiting his products.
that's just stupid and for all of his customers you can just hope that no bad actor is going to find something.
P sure the owner doesn't care to fix it and knowingly just lets that be possible
@@delicious_orange013lol6it's best not to attribute to malice, that which can reasonably be attributed to being a complete dumbass.
@@parapetcloud if he's a dumbass then he'll learn the hard way
okay so heres the thing, firstly a super big thank you for makeing those videos secondly i get that the dev might have had a bigger thing to work on than responding to you when they first saw it and im happy they did fix it so fast but a "hey we fixed it thanks for saveing our butt here" wouldve been nice
im starting to think eva is an AI, they have found ways to do this with so many bots lmao
Obviously she is, girls are not real
AI's pretty awful at cyber security. No, this is just a decent amount of time having fun pentesting lol
NULL
She does hobby pentesting according to her homepage. And her git shows activity in regards to malware/pentesting and most importantly silly block game.
@@kacperkonieczny7333 undefined
NTTS Started his own villain arc confirmed 100%
Eva and no text to speech are really helping people on this. the hero's we need.
Can you cover the new mobile layout and how to revert to the old layout? It's absolute ass and makes me happy to be legally blind
trick is to downgrade to earlier version, disable it there, update back and never update again without confirmation that it still exists
done
I like the switching between severs and dms, but I absolutely hate the new search and how I can't just type from:someone without it trying to do some Google type of stuff
At this point, bad security by discord bot devs doesn't surprise me anymore. The bar to making a bot is so goddamn low that incompetent people make bots that get too popular for their own good.
This shows us very well how life slaps you across the face for just being nice and the least they could've done is a thank you, but apparently thats too much for some people.
I just finished watching this video, and decided to check a few of the bots I have used on servers I own/co-own, including paid, free, and trial bots. It takes a bit longer than this, but some very popular bots(not gonna name them) have some major issues very similar to this one. I tested a method on a server I am friends with the owner on and managed to(after creating a backup server so people wouldn't lose everything) completely wipe the server in the span of 8 minutes. People really need to hire some kind of white-hat to double check that things aren't as hilariously undefended as this was.
no announcement could mean some servers don't notice the bot handing out the wrong roles for a little while
This is why I don't trust security bots.
crazy how this guy doesn't even protect his api endpoints
Seeing this makes me glad that I went through the trouble of attaching this one bots permissions to each relevant Channel instead of giving it the blanket permission.
this is epic, guilded is finally getting the attention is really needs, this is poggers
don't worry, if he was that careless and clueless about security on that matter, he probably has a lot of other holes to patch
Welp time to raid some Discord servers. 💀
6 seconds into the video and I have to pause to replay it, I was not prepared for this start.
Man, you are a real hero! This made me so proud and insipred. Well done bro.
0:04 says
"Among us sussy ba-"
Disgusting behavior. A ‘thank you’ from his response would’ve really shown that he at least cared a bit. Sometimes it just doesn’t pay to have morals. I would have made an airdrop in an NFT server then have drained their wallets.
So now NTTS teamed up with hacker-cat-girl pfp and we're getting more videos like this ? love it
Security Problems in Discord Bots? You're... the One Legend.
This escalated quickly.
Waiting for NTTS's video on the new discord update with the interface
love your vids man
I wonder if most bots have this exact issue with a similar result after making it think you're the owner and some devs are just too lazy to patch it if they hear about it.
NTTS, idk if you still read comments, but are you aware how discord is forcing mobile users to use new ui
To explain, now if you change the ui, you CANNOT change back to old ui (im forever stuck in new ui purgatory. Send Help)
I…might have to see if I can hire Eva to do a vulnerability check on a project at some point…
she is a developer for a server im an admin on
from what i've seen (at least on this channel I don't really use bots in my servers at all, and the bots I do use are like, music bots which only need like 1 permission). Most bot developers don't have experience with an internet facing service. If the debug endpoint is there just for debugging other servers just incase there's an issue, why not just have it to where it can accept any ID and auth token, but on the backend it checks if it's the correct user. The code is right there in the page source, it just checks if the userID is the ID if the owner of capture bot, and just doesn't show it if it's not...the actual call doing the debug mode just does it, no other prior checks beside if the guildID is a valid id.
What should've been done is, A. don't hardcode the user ID into the check for the User ID someone could just spoof it by just copying it right there B. do other verification on the actual backend.
it could be a whole thing where first it sends the request like it does in the video, but when it gets to the backend it'll check multiple things, the user ID that sent the data, what permissions it has etc etc. verification shouldn't be done on the front end.
yup. this is why I always set up bots below mods/andmins and above janitors. bots can only be trusted to delete messages and give roles that have no real perms under them.
NTTS you giving here a good example of people who doesn't give a shit about safty, you did your thing and i proud of you its his problem
Bro went from making videos about discord news to becoming a hacker, well I wasn’t expecting that
I LOVE THIS. I can spend hours finding vulnerabilities or bypasses like this :). I wish I could do this as a full time job
I reversed the reversed audio, and it said: "Among Us Sussy"
The amount of trolling that will be done is devastating
The exploit is fixed. The trolling can only happen if something like this is leaked again.
@@thewitchidolsachika6682 rules of the universe: 1. Trolling will happen 2. If the trolling is stopped, it can happen again
@@thewitchidolsachika6682 in discord the only updates shown in the video is they moved around the roles, theoretically if someones already in they could change it back. Unless NTTS didn't show what was further changed.
this makes me glad and sad that I am so neurotic about server setup. If I was a bit stupider I coulda used this to get back into my own server but I'm too reserved about permissions so this would've never worked :sob:
This also brings to to the question how many other captcha bots are affected by this same exploit.
it's something very well-known, i think this bot's dev is just dumb
I'm sure you can find another one in the channel... 😂
never wished to be a time traveler so badly until now
Why does everyone do authentication _client side?!_ Like, seriously, that's the oldest mistake in the book!
To anyone wondering, similar bots exist on whatsapp too. Those bots have a lot more serious vulnerabilities tho (i.e RCE on host machine).
I use WhatsApp, and I think it doesn't have bots unless you are a business and verify it
@@_tr11 unofficial libraries exists.
another good reason to not make dashboards :D
but fr whenever i got time to publish my bot, its just gonna be command-setting up cuz no clue how to make actual dashboards for setting stuff up
Making dashboards is fine, in this case the developer just made a way to give himself access to any server, but server side he didn't check if it was him, which was the problem here.
just imagine this man going to his villain arc, it won't be pretty...
It's pronounced as VIEW NOT VUUUU I'M DYING
As a Developer, hacker, consultant.
You would be suprised at how many of these APIs are vulnrable to this exact issue. To many developers think that frontend verification is secure. Completely ignoring anyone could send requests directly to the API.
And tbh, 99% of these issues come from Javascript developers. They have no idea about secure backend programming.
Discord had the exact same vulnrability in their APIs, last year people discovered a new API for model popups, it was completely undocumented and wasnt supposed to be public, but even discord doesnt put propper authentication on their APIs.
It's certainly a js issue. Tons of js frameworks bake back end into the front end like react and nextjs. There's a level of abstraction that non system engineers can't really understand because they think they're writing back end code but it's actually running on the client. It's like giving them a notepad with all your passwords to everyone who visits your website.
The only solution in my opinion, is making a private owner panel and move the api /guilded there. The owner panel and it's api endpoint will be connected to the database locally and they could add a login check with the owner's discord account. Trust me, I've done this for a website I own and it's a very good security. Like, who'll try to come at your house, try to guess your pc's password/pin or whatever you have, find the hidden owner panel and try to get in with your discord account?
? just store verification check code in back-end (server-side)
I think you meant "/debug", not "/guilded", but a simple auth flow ought to be enough (what we saw in the video was Dark putting it "where nobody will go looking for it", a "very good" "alternative"!!! 😂).
its so funny that he puts so little protection into the bots security
I can't believe the owner said the N word
Fr
Normal on Discord
bruh stop spoiling >:(
1:52 OMFG He pronounced "Vue" incorrectly, as a web developer I'M OFFENDED 😭😭
View
Let’s hope there is a Batman out there just incase NTTS turns into evil superman with this someday
imagine what lethal problems this issue could cause 💀
Me not understanding anything:🗿
Edit: the most likes ive ever gotten is 11 and its this comment
it makes no sense if you’re not a person who programs. like me.
Hi (make this famous) Edit : OMG THANKS GUYS THIS IS THE MOST LIKES I EVER HAVE
i will try
0:04 the reversed voice says, "Among us sussy ball-"
Bro has the power in his own hand and shared it
the funny thing is the ad before this video (for me) was the advertise for a discord nuking bot lol
And here we, yet again, enter the topic of RUclips literally letting anything that smells like money slide...
The "I'm projecting" at the end killed me 😂
When you get tired from telling people how to defend themselves from scams, you become a hacker.
This man is an inspect element wizard, and my role model for inspect element.
When I saw the title, I thought NTTS was going through like a villain arc
funny how i see the ad of a nuking bot before this video 💀
Damn, that's a real bad one. There must be other giant holes in this dev's projects...
Understandable for a "got-out-of-hand" FOSS project, less so for a commercial product with paying users.
"But when i told the owner he said obby sussy mama"
Literally the least he could've done was say "Thank you." But I guess when someone runs the "most secure" bot, they still have an ego regardless.
some time ago you made a video to make your own music bot, in case you find other "selfmade" bots like a reaction role bot and others it would be great if you could make a video about these or atleast recommend them.
LOL, those are way more likely to also not be Emmental cheese... 😂
@@erikkonstas i really dont what you are trying to tell me with this comment
@@Signupking That the "small" GitHub projects are much more likely to involve proper practices, because once a project becomes big, the focus changes from proper implementation to profit.
A naked man fears no pickpocket.
Eva seems to be really good when it comes to Discord. Seems to be in a lot of vids now
Since auto moderation is something that technology isn't really ready for yet, you should do this to AltDentifier next.
Bruh, you can definitely protect Vue routes in other ways! And also there should always be an API level securities e.g. protected endpoints based on roles, not by user ID even! Anyways, we need more ethical volunteers to check for stupid vulnerabilities like this... All developers are human beings, they can definitely make mistakes, it's not a thing to feel shy about. Therefore, let's put our hands together to fight the criminals who actually takes advantage of these mistakes... Thanks to NTTS for this awareness video!
I wouldnt do it by role ids since someone could exploid the support server and give itself the roles or any other way I would always do it by user ids
@@sattlerdevelopment Yes, truly it can be a secure option if you can sanitize website's input cases. Even with user ID, you can add better defences for this kind of XSS attacks. You can add some sort of Server authentications and stuffs (as I noticed the website only authorised the "hacker" by what it sees from the browser's perspective, meaning it's an exploit that can completely be done from the frontend). You can also add Public IP address checking (i think) to notify the developer that an unknown device is trying to connect to the admin portal...or smth like that idk. Either way, there are a lots of measures you can take. (Thanks for the callback, I just didn't think of that exploit.)
Why? They ghost you, so why?
Instead of securing the endpoint, he secured the front end code
The reversed speech at 0:05 is "Among us sussy balls".
This is like multiple cardinal sins:
1: pushing debug tools to production
2: CLIENT SIDE VERIFICATION (????)
3: UNPROTECTED ENDPOINT (????????????)
As the saying goes, no good deed goes unpunished.
Waiting for the new video about the discord mobile update 😁
The fields are real quiet after watching this
What's funny is captcha of course needs to fix their bot but this could be prevented by simply putting the roles below the captcha bot not have any permissions. Like a Mod or Admin role should always be above a bot. ALWAYS. It's how I've always done it.
i just want you to know that if I was in your position, I would be an absolute menace but I appreciate your ethics even if they don't reflect my personal views
The other move would be to capture your request to access that page and change your user ID to the one listed in the code.
as a dev, i hate how people think including the auth and debug systems are secure in the frontend