Ruining Discord Servers with a Bot Exploit!

UPDATE: Double counter did a MASSIVE update that addresses all of the privacy issues.
- They have a way to opt out of the lens feature, both for a whole server and for a user across discord
- AND, if you request to delete your data, you WILL NOT get banned!
Nathan, the owner of double counter, turned this around immaculately. Massive respect and props to him. And thank you all for being constructive with your feedback and coming to this result.
Friendly reminder, these vulnerabilities were disclosed and FIXED before this video. From the Double Counter announcement and from what I saw, this was never exploited in the wild.

The fact that they ban you from every single server that uses DC just because you don't wanna be tracked is actually insane. Bottom tier company

"Military grade" never means "good" to those with actual military experience

People seem to forget that "Military grade" just means mass produced by the cheapest bidder

As an individual with no servers i see this as an absolute win.

Here's the thing: authorization is super easy to implement nowadays. Yet for some reason they thought basic clientsided encryption is the best way to secure their application. NEVER put any sort of security logic on the client, because it will be figured out one way or another. I hope everybody ditches this bot and never uses it again, because this is yet another example of idiots with some programming knowledge putting others at risk.

ever since i heard someone say that "military-grade" actually just means serviceable, i haven't been able to take any of those claims seriously anymore

As a programmer who works with secrets and api-keys I am amazed at the sheer stupidity of double-counter. Like its honestly impressive that they are making these mistakes 💀💀
Ima nerd out here so you can skip this: sending API requests to private API (discord's API in this case) with your own private API key from the clients side is wild and should never be done (Its commen-sense/cyber-sec 101).
Edit: People (roblox script kiddies) in the comments are waging a war over if I am a "real" programer. I am a programer; I am a full stack dev and code/work with Node.js, Typescript, Next.js, Nest.js, Redis, Mongo DB, SQL, python, etc. And i do in-fact work with secrets and api-keys that need to be kept hidden and protected properly.
Edit 2: I started a war in the comments 💀

I'm absolutely no Lawyer but Double Counter Lens sounds like its gonna violate the GDPR if the user does'nt explicitly agree to have his behavior tracked and data shared

That lens thing honestly sounds like it's illegal in Europe. GDPR states users must explicitly consent to all tracking (not just cookies). Not sure if this being a discord bot is some kind of loophole though, I'm no expert.

Military grade just means the cheapest that works

as a cybersec guy myself, while i do specialize mostly in maldev, evasion, gamehacking and binary exploitation, i'm really considering finding vulnerabilities in stuff like this cuz of this

The moment I heard "This bot has Administrative privileges" my face almost went through my desk.
STOP GIVING BOTS ADMIN

So far, Discord bot developers are the only ones that seem able to take the cake from WordPress plugin developers in terms of outrageously stupid vulnerabilities.

I've never heard of this bot, but I think it's great that I don't use this bot.

I want to say that while what you mentioned would be definitely be bad, if you have a bots client secret you can essentially just write your own code and feed it that secret and you control the bot. I'm not sure why this wasn't mentioned, because with a bot's clientid you can just write code to have it loop through every server, ban every player, delete every message... you get the idea. While its certainly more fun and chaotic to give everyone admin if someone actually wanted to do damage they could have wiped every server this bot was in with some very simple code

That bot can destroy discord predator server

Fun fact: Double counter will also ban you from any servers you try to join if you happen to have a sibling or someone else on your wifi network that also uses discord because it thinks you're an alt account

The real issue with the "military grade" term is that it's overused to the point that it no longer has the same meaning. I mean, HTTPS technically uses "military grade" encryption, and while VPN providers also have it as their main selling point, they're also not technically wrong, which is how they keep getting away from being accused of false advertising.
As Tom Scott used to describe VPN providers overusing the term: "is the sort of marketing that scares people into buying something they might not need".

I've been subscribed to NTTS since you had 2.7k subs i think, these videos are getting better and funnier. keep it up!

As someone who's made a few Discord bots, this is embarrassing. I have no clue how you write this code and don't expect something terrible. I'm not an expert, I'm not even smart. I'm just in awe. I hesitate to call the second issue a vulnerability, it's more like a backdoor. If you're using this bot, stop using it immediately.

Giving admin is a child's play. At that point you had the power to delete all channels indiscriminately, and ban absolutely everyone in those thousands of servers. Could even sort servers by member count and target the large ones first.

i love how when you said that eva got paid when reporting the bug, and you said "so its worth being a good citizen, since you might get ...", an ad just played
omg an ad for payment! awesome!
(i just find the timing to be rly comedic)

I'm not sure this lens thing really complies with the EU's GRPD, you can't just gather user data without asking first, and you certainly cannot do this without giving the user an option to refuse having its data gathered or an option to have it removed.
And apart from that yeah it's true that we don't act the same everywhere on discord, I act like a complete moron on friends servers and we ban each other for fun, so that rating system is kinda broken

Imagine how bad it'd be if some kid got into a massive server with this bot, and just took over? It'd be pretty bad..
Anyways, it's always a good day when NTTS posts. Keep up the good work, you impress me everytime!

As a person who doesnt use Double counter, I see this as an absolute win.

I've recently found out about DC when I accidentally clicked on a setting while setting up my emote server and oh boy the bot seems quite aggressive with the tracking and stuff even without the lens feature. Granted, before it's mostly to verify if you're an alt or not for that specific server but it still doesn't look good

DAMN this is like horrible i hate being tracked on discord or any platform and literally double counter is doing the worst thing ever like people gonna switch to different discord bots for sure and i myself gonna leave servers that use double counter dont want to get tracked by the stupidity of the devs.

A naked man fears no pickpocket.

That Double Counter Lens thing is making me feel like a goddamn star, GOTTA LOVE BEING STALKED BY BOTS!

another good day when ntts uploads

"Military Grade"
Civilians - :D
Military - D:

Petition for Double Counter to remove "military-grade" from their title

The outside for NTTS is just a painted basement room with felt on the floors & walls. X} Good content yo.

7:58 isnt that breaking european laws about privacy? they could literally end up in jail, even that their intentions were to actually protect users

this was a military-grade youtube video

So, this bot immediately starts tracking you as a user when you join a server that contains it, probably without you specifically getting a prompt to agree to such terms (especially with auto-verification)?
Oh European Union!

Alternate title for this video:
"Reporting" this server breaking bug by absolutely abusing it.

This bot runs off ip so if you live with someone that has been authorised by this bot that means you can't join a single server it is and it's support doesn't give two damns and say "Welp your problem not ours"

@NoTextToSpeech What is better wick's verify system or double counter verify system ? I need to know what to use in my server.

new editing style wild

i cannot believe they #1 had an exposed key, and #2 had a very very simple authentication method for setting sensitive values

that last point made with double lense would be a big issue with how I run my discord, I tap people on the wrist for cursing or caps spam, few seconds mute get their attention and a message just keep it in mind to reduce the amount cursing and caps, I've had people trigger it a lot and to me its not that big a deal but dam their DSCS would get destroyed

Military grade, seems like apple tbh

Props to Blahaj girls for making NTTS videos possible

This is why i make sure any bot roles are below any roles with permissions. Better yet if you put all your integration roles (bot roles) to the bottom of all your roles it is the best place for security reasons. I also don't use verification bots anymore but rather just let people in using discord's own system and if we get raided i just pause invites for 24 hours and investigate to see what link is being used to raid the server and then delete it. If it's disboard or something i'll just make the listing private and remake the invite.

If you've ever seen Lockpickinglawyer, you'll know Military grade is just cheap shit for the cheapest contract bidding price, or a Masterlock

its kind of funny how there is some random group of people making bots controlling people across servers with tracking and stuff while discords sits there and watches.

The NSFW Memes server…

By the way, the developer plans to give the Lens feature an opt-out and also wipe anything that was collected before then towards Sunday or so. The whole idea was one huge GDPR infarction waiting but hats off to the dev

double-counter have never heard of GDPR...

The fact that they claim to be a security bot yet they don't know a thing about cybersecurity or how to build secure software is quite amuzing

This was the most funny video of your career.

"Some people just don't understand the dangers of mass surveillance."

I wonder how they'd respond to a well-phrased, perfectly legal, ask for a GDPR data export. Not a "do not track me and ban me" a simple "Hey, what data did you actually collect about me ? Gimme."
It would probably be enlightning to know.

If you use AES, SHA or HMAC (all widely used and basically the standard), you are using "military-grade". You still need to implement them correctly, but the algorhithms themselfs are top tier.
That is what "Military-Grade" means in software security every single time.
Use it as a warning label, if someone calls his security features "military-grade", he is either trying to deceive you or doesn't know much about security/cryptography.

Funny how i got an ad for a nuking bot as this video finished

We're now at a point in time where everything is using at least military grade encryption. Sometimes more. Tranditionally, military grade = AES256. So this means that if you seen https in your browser's address bar, you're using AES (advanced encryption standard). Which basically means everything is using military grade encryption.

Pretty sure that their lens feature is against the developer tos and will cause massive api spam if it bans you on all servers

Double Counter is the worst bot out there. You get banned on Discord for spamming or something? "Oh you're an alt, and also we can't help you undo the considered alt even thought it's literally a deleted account" they ruin the discord experience because they have no way of support. All of their support for help is js left to a dead end. DOWN WITH DOUBLE COUNTER!!

hey i know this is weird but how do you get 3 color buttons on google chrome just asking

I really love when people say "Military Grade" on something, since Military Grade stuff is generally outsourced to the cheapest producer and mass produced for millions of soldiers. you want PMC Grade gear, that's the good shit.

Another issue with letting bots have full control over servers. Why don't people learn? Why did NTTS not say anything about how Double Counter _should not_ be an administrator. If all it does is: give roles, kick and ban users. Then it should only have those roles. It should not have the roles to modify channels, rename users, and more.
Plus if you want to use Double Counter for verification but not banning, you could prevent it from banning users. This also means that if a user wants their data deleted, Double Counter can't ban that user from your server.

I can't wait for someone to figure out how to get the developer of Double Counter banned by their own bot!

There are many bots/websites storing their secrets publicy (or just behind a get/post req with auth headers) so basiccly u can get the secret from any bot cause if you wouldnt, the website wouldnt neither which means u cant configure the bot... (ofc this is a case for dumb devs lol... normal would make everything server side and endpoints like /edit/cmd/... which accepts all stuff and then only uses the client server side)

We just added this bot about a week ago, and I saw that it wanted Administrator privilege... I didn't give it that privilege to see if it would function fine without it... and it does. The only thing that it can't do without it is give us server statistics, and we don't care about that. I also put Double Counter's role below all of our moderator roles. I am glad we were careful about that now that I have seen this, though it's good to know that they patched those issues.

that lens feature just screams for a lawsuit from a few germans...

They also don't like adblockers. Was curious what my score was but not that much to turn off my adblocker.

NTTS makes the best discord vids for me. Thanks for making such good content!

This is really MILITARY GRADE preformance.

How do you view the permissions of a server by clicking on it's name and then "permissions" in the dropdown? I don't have this option in the dropdown... this freaks me out...

Double Counter Lens smells like a GDPR violation

Love this video!

"Military Grade" unironically means "very bad, very cheap, does bare minimum" type of stuff. So they're not wrong there.

yno glitch u can abuse in somewhat specefic circumstances: get owner to give u administration perms for dyno then use the cmd that gives roles

So they had all the logic in the frontend of their website. XD.

he makes a security bot that can be essential for some servers and desides to sometimes just dont think faar and just do stuff. also the amount of small thing he dont bothers about. like this banning thing for deleting your data as law forces them to if you request it. its just a "screw you, we dont bother because you dont play into our cards" solution. or giving the bot admin when inviting it even trough thats risky and the bot only needs permission that are avable as role permission. yeah just implementing a monitoring feature that has several flaws that make it partly useless. but then advertising your bot whit a huge claim. its hard to tell if all this stuff is intentional but if it is then this is just careless

The client secret is more like a token that's used for OAuth2 interactions on discord.

Yeah that lens feature can’t be legal (under GDPR)
On another note, I’ve known about this exploit for over a year, so now I can finally say why I wouldn’t let the community use this bot. 😂

Fun fact:
In EVERY NTTS video,the server ''Silly Cat'' either appears or gets mentiones,in EVERY SINGLE VIDEO OF HIM it fucking does.

has no one learned their lesson from that Minecraft plugin that banned you globally if you got banned on more than 2 servers that had the plugin installed? bad actors would just make two fake Minecraft servers then ban someone from both lol. I imagine something similar might happen if you piss off a mod/admin that mods multiple discord servers

How can they ban you from all servers, if they don't store anything of you anymore. By their own admission, they're still holding on to at least your username

Wouldn't DC fundamentally break GDPR since there's no opt-in, only an opt-out?

wait is that permission menu a new thing because i don't see it on any of my servers

They will ban us, if we delete our data. So, what if we create a lot of alts and then request data deletion on all of that account and it will probably crash the bot banning us from all the servers...

what editor do u use

Honestly, military-grade is perfectly apt to describe this.

0:32 NOOOOO the bot that is THE BOT THAT IS GUILTY FOR ME LOSING MY ADMIN ON A SERVER IS VERY POPULAR

Programmer with engineering degree here.
I've seen some code and this here is worse than code from students that i've seen.
To those who don't know too much stuff about programming:
Most websites are built using Three-Tier Architecture (or in simpler words, are using three different "components" to work). Basically that goes down to three tiers:
- Presentation tier (what you see, all the shiny stuff)
- Application tier (processing of the data, etc)
- Databse tier (database and "back-end" stuff)
And most important here is the back-end stuff. The back-end is simply just a "brain" of the web application. Back-end processes vulnerable data and HAVE TO BE HIDDEN AT ALL TIMES!
There are languages that hide code automatically (or simply you don't have access to it because server won't let you) and they are used to create back-end of the application.
Here, they simply put some of the back-end stuff in the front-end code (and this should never happen in the first place - and certainly NOT ENTIRE ID's AND OTHER DATA).
Literally they made this code so bad I'm thinking it may be intentional - because it's really hard to mess up back-end that bad (back-end code is hidden by default)

The "military grade protection" on the internet may not be as flattering as it seems because we all know that the military still uses 20 year old computers

a wise man once said:
"never... EVER... trust the goddamn client"

I remember abusing unpatched thing in the old days: I bypass any account with just brave browser, no console

this tool seems very intrusive in general. it does seem useful to be able to detect alt accounts, however, i would never want to automatically ban them. most of the time, in my experience, alt accounts are actually just kids/tech illiterate people who forgot their pw/forgot they made an account already... not to mention the case of a shared ip address between multiple people. and honestly the usefulness doesn't outweigh my regard for people's privacy anyway...

According to every military person I know, "military grade" just means "barely functional".

could you copy a client id and preban someone multiple times from a discord server to ruin the dc lens feature thing?

I've reported bugs to a somewhat popular bot's developer and the only thing I got in exchange was 3 months of the bot's Premium subscription (equivalent to 15€)... that I couldn't fully use because the developer banned me from using most of the bot's features.

lol "military grade" is cheapest quality at the lowest cost! Army vet here, so I have seen this!

Nice video!

Hey, militray grade is not inaccurate here, the US military was well known for having tons of really awful cybersec that solely relied on the system being closed off

Amigo shiver my timber