1. Do not harass the bot developer. Yes, he didn't say thank you, but he did fix the issue quickly. Harassing someone because of poor manners aint the move. 2. The vulnerability is patched, please stop asking me how to hack into captcha.bot. I will never make a video on a live vulnerability because some of you are rascals. and finally, I was told that people are asking other bot devs if their bot is safe and linking this video. That is perfect, that's the goal of these videos. Whether it's a one man team or a big company, people will exploit discord bots and use it to ruin people's communities or scam a bunch of people. And everyone getting a little scared of eva, and double checking the security of their bots, is going to make the community a better place. (Even if it means I have to burn my bridges with bot devs that disagree).

this guy needs a lesson on how to properly protect his API endpoints... hilarious

How are these bots so hilariously insecure? The fact everything could not only be done so easily but also all within the browser's DEVELOPER TOOLS is a huge problem.

Having this little protection is shameful. There is a complete lack of basic security measures...

As a full-stack developer I can confirm that this is so amateur and unprofessional, no-one should trust a single product from this developer EVER. Remove captcha bot from your servers rn.

All those recent exploits discovered in bots is why I keep stressing to people to properly setup their servers and not blindly give bots permissions they don't need. Thank you for bringing light to these exploits, hopefully this pushes people to stop blindly trusting bots and for devs to be more careful with security

As a Cybersecurity Student, that was the shitiest security that I have ever seen in my whole life 💀

Absolutely disgusting move by the bot owner.

I'm not surprised that Dark was unresponsive after you basically saved his bot from destruction and chaos. Every interaction I've had with him (through the Arcane server), he has been cold and narcissistic. I don't know if that's how he actually is IRL, or if he gets a lot of messages per day and can't keep up with them, but he does not seem like a very good person in my opinion. I am glad that he fixed this huge vulnerability, and I can pretty much guarantee that any mention of this in any of the servers he owns will be met with a timeout or something of that sort. I mentioned the word "bot" in the Arcane server and got muted for 5 minutes for "advertising" as he told me.

As someone who has dabbled with a bit of bot development here and there on Discord, I have seen so many examples of other developers who think they're too good and too big to acknowledge other people around them - especially when it's criticism or feedback. Not surprised at all that Dark ignored your DM and I can guarantee that had you sent it from your NTTS account he 100% only then would've bothered replying.

xyzeva causally finding vulnerability in security bots 💀

"am be so so wuh a bo" such wise words from the owner...

these recent vulnerability videos have really given me insight on how even the biggest bots can be taken advantage of

I don't think I could've resisted the intrusive thoughts tbh. Good on you, dude lol.

Once again, thank you for keeping us safe on Discord, NTTS! Shame Discord don't have an employee to do this.

We would be doomed if NTTS started his villain arc.

A hacking tutorial 💀

okay so heres the thing, firstly a super big thank you for makeing those videos secondly i get that the dev might have had a bigger thing to work on than responding to you when they first saw it and im happy they did fix it so fast but a "hey we fixed it thanks for saveing our butt here" wouldve been nice

That is the most pathetic thing I ever seen, like imagine ghosting the guy that help you find a security problem in your code, like imagine this happened again. I'm sure NTTS knows this abt stuff or he knows someone knows this stuff, imagine being so egoistical and risking ur career

To be ethical or not to be. As soon as you have a good intention, you literally get shit on by life. Honestly, you shouldn't have given away the exploit without getting a response from him, or a bug-finding contract. This kind of vulnerability should have been rewarded. If I made a bot and such a vulnerability was discovered, not only would I thank the user who found it and didn't abuse it, but I'd also try to pay for it or give away premium benefits. What a rat. Translated because i'm not ca or us, just a baguette.

Some servers really are set up horribly, one time, I saw a server where for some reason the owner role, with all perms, was under the member role, which everyone has, and also has perms to manage roles, so if literally anyone looked at the roles, which the member role also has perms for, they could've easily just given themselves owner and destroyed the entire server before the real owner got on.

This is the reason I like to troll the help pages on Dark's Discord server. It makes him waste his time on stupid things that takes his precious time off. I feel no remorse for Dark whatsoever

im starting to think eva is an AI, they have found ways to do this with so many bots lmao

I can't believe the owner said the N word

Eva and no text to speech are really helping people on this. the hero's we need.

You can always go the middle route: Sell the vulnerabilty but also tell the owner about it

this is epic, guilded is finally getting the attention is really needs, this is poggers

Man, you are a real hero! This made me so proud and insipred. Well done bro.

NTTS Started his own villain arc confirmed 100%

This escalated so quickly.

Can you cover the new mobile layout and how to revert to the old layout? It's absolute ass and makes me happy to be legally blind

I just finished watching this video, and decided to check a few of the bots I have used on servers I own/co-own, including paid, free, and trial bots. It takes a bit longer than this, but some very popular bots(not gonna name them) have some major issues very similar to this one. I tested a method on a server I am friends with the owner on and managed to(after creating a backup server so people wouldn't lose everything) completely wipe the server in the span of 8 minutes. People really need to hire some kind of white-hat to double check that things aren't as hilariously undefended as this was.

no announcement could mean some servers don't notice the bot handing out the wrong roles for a little while

This shows us very well how life slaps you across the face for just being nice and the least they could've done is a thank you, but apparently thats too much for some people.

6 seconds into the video and I have to pause to replay it, I was not prepared for this start.

So now NTTS teamed up with hacker-cat-girl pfp and we're getting more videos like this ? love it

don't worry, if he was that careless and clueless about security on that matter, he probably has a lot of other holes to patch

NTTS you giving here a good example of people who doesn't give a shit about safty, you did your thing and i proud of you its his problem

love your vids man

Security Problems in Discord Bots? You're... the One Legend.

crazy how this guy doesn't even protect his api endpoints

Welp time to raid some Discord servers. 💀

I LOVE THIS. I can spend hours finding vulnerabilities or bypasses like this :). I wish I could do this as a full time job

Seeing this makes me glad that I went through the trouble of attaching this one bots permissions to each relevant Channel instead of giving it the blanket permission.

This is why I don't trust security bots.

Waiting for NTTS's video on the new discord update with the interface

I wonder if most bots have this exact issue with a similar result after making it think you're the owner and some devs are just too lazy to patch it if they hear about it.

At this point, bad security by discord bot devs doesn't surprise me anymore. The bar to making a bot is so goddamn low that incompetent people make bots that get too popular for their own good.

Disgusting behavior. A ‘thank you’ from his response would’ve really shown that he at least cared a bit. Sometimes it just doesn’t pay to have morals. I would have made an airdrop in an NFT server then have drained their wallets.

NTTS, idk if you still read comments, but are you aware how discord is forcing mobile users to use new ui To explain, now if you change the ui, you CANNOT change back to old ui (im forever stuck in new ui purgatory. Send Help)

from what i've seen (at least on this channel I don't really use bots in my servers at all, and the bots I do use are like, music bots which only need like 1 permission). Most bot developers don't have experience with an internet facing service. If the debug endpoint is there just for debugging other servers just incase there's an issue, why not just have it to where it can accept any ID and auth token, but on the backend it checks if it's the correct user. The code is right there in the page source, it just checks if the userID is the ID if the owner of capture bot, and just doesn't show it if it's not...the actual call doing the debug mode just does it, no other prior checks beside if the guildID is a valid id. What should've been done is, A. don't hardcode the user ID into the check for the User ID someone could just spoof it by just copying it right there B. do other verification on the actual backend. it could be a whole thing where first it sends the request like it does in the video, but when it gets to the backend it'll check multiple things, the user ID that sent the data, what permissions it has etc etc. verification shouldn't be done on the front end.

Bruh, you can definitely protect Vue routes in other ways! And also there should always be an API level securities e.g. protected endpoints based on roles, not by user ID even! Anyways, we need more ethical volunteers to check for stupid vulnerabilities like this... All developers are human beings, they can definitely make mistakes, it's not a thing to feel shy about. Therefore, let's put our hands together to fight the criminals who actually takes advantage of these mistakes... Thanks to NTTS for this awareness video!

this makes me glad and sad that I am so neurotic about server setup. If I was a bit stupider I coulda used this to get back into my own server but I'm too reserved about permissions so this would've never worked :sob:

This escalated quickly.

some time ago you made a video to make your own music bot, in case you find other "selfmade" bots like a reaction role bot and others it would be great if you could make a video about these or atleast recommend them.

The "I'm projecting" at the end killed me 😂

Bro went from making videos about discord news to becoming a hacker, well I wasn’t expecting that

I…might have to see if I can hire Eva to do a vulnerability check on a project at some point…

yup. this is why I always set up bots below mods/andmins and above janitors. bots can only be trusted to delete messages and give roles that have no real perms under them.

The only solution in my opinion, is making a private owner panel and move the api /guilded there. The owner panel and it's api endpoint will be connected to the database locally and they could add a login check with the owner's discord account. Trust me, I've done this for a website I own and it's a very good security. Like, who'll try to come at your house, try to guess your pc's password/pin or whatever you have, find the hidden owner panel and try to get in with your discord account?

0:04 says "Among us sussy ba-"

Why does everyone do authentication _client side?!_ Like, seriously, that's the oldest mistake in the book!

another good reason to not make dashboards :D but fr whenever i got time to publish my bot, its just gonna be command-setting up cuz no clue how to make actual dashboards for setting stuff up

the funny thing is the ad before this video (for me) was the advertise for a discord nuking bot lol

The amount of trolling that will be done is devastating

To anyone wondering, similar bots exist on whatsapp too. Those bots have a lot more serious vulnerabilities tho (i.e RCE on host machine).

never wished to be a time traveler so badly until now

When I saw the title, I thought NTTS was going through like a villain arc

Me not understanding anything:🗿 Edit: the most likes ive ever gotten is 11 and its this comment

It's pronounced as VIEW NOT VUUUU I'M DYING

This also brings to to the question how many other captcha bots are affected by this same exploit.

Bro has the power in his own hand and shared it

As a Developer, hacker, consultant. You would be suprised at how many of these APIs are vulnrable to this exact issue. To many developers think that frontend verification is secure. Completely ignoring anyone could send requests directly to the API. And tbh, 99% of these issues come from Javascript developers. They have no idea about secure backend programming. Discord had the exact same vulnrability in their APIs, last year people discovered a new API for model popups, it was completely undocumented and wasnt supposed to be public, but even discord doesnt put propper authentication on their APIs.

1:52 OMFG He pronounced "Vue" incorrectly, as a web developer I'M OFFENDED 😭😭

just imagine this man going to his villain arc, it won't be pretty...

its so funny that he puts so little protection into the bots security

Hi (make this famous) Edit : OMG THANKS GUYS THIS IS THE MOST LIKES I EVER HAVE

Eva seems to be really good when it comes to Discord. Seems to be in a lot of vids now

Let’s hope there is a Batman out there just incase NTTS turns into evil superman with this someday

Waiting for the new video about the discord mobile update 😁

funny how i see the ad of a nuking bot before this video 💀

Damn, that's a real bad one. There must be other giant holes in this dev's projects... Understandable for a "got-out-of-hand" FOSS project, less so for a commercial product with paying users.

Since auto moderation is something that technology isn't really ready for yet, you should do this to AltDentifier next.

What plugin do you use to check the permission thing? Better discord or that other one? (i forgot the name of it lmao, forgive me)

The other move would be to capture your request to access that page and change your user ID to the one listed in the code.

Not acknowledging a potential exploit of this magnitude is really not a good look, especially with the amount of servers the bot is in. I get that development can be a big task, and the owner may have been having a bad day, but this is stuff you need to sit up and take notice of. He's just extremely lucky someone malicious didn't find this and either sell the exploit or just go on a server nuking spree.

I reversed the reversed audio, and it said: "Among Us Sussy"

When you get tired from telling people how to defend themselves from scams, you become a hacker.

amazing work from the person who actually found it

imagine what lethal problems this issue could cause 💀

What is the browser you used in the video? The console window is very good.

A naked man fears no pickpocket.

As the saying goes, no good deed goes unpunished.

Can you make a video on the new mobile layout? I just got it and god it's horrible I need help. I did some searches and apparently theres no way to revert it, it would be nice to know i'm not the only one suffering

that's why putting the authorization and query logic in client is bad. You need to do stuff server side. Never allow the client to send you the authorization data, if it's not a secret like authorization token, the user can fake the globally available data that you require the client to provide, and when you use this data to control user permissions then probably nothing will happen. But you shouldn't trust any user, some people don't want to be any good to you.

The fields are real quiet after watching this

unironically, learning code from you just hacking into these nerds is pretty fun

This is like multiple cardinal sins: 1: pushing debug tools to production 2: CLIENT SIDE VERIFICATION (????) 3: UNPROTECTED ENDPOINT (????????????)

0:04 the reversed voice says, "Among us sussy ball-"

This came out 53 minutes before I got discharged from surgery Peak content the moment I'm free hell yeah