Wow... This is a school grade level exploit. Anyone who paid attention to basic website security knows how to prevent this attack. And yet Discord's dev team is so incompetent that it couldn't even prevent something this basic.

The crazy thing is that React (which Discord is built with) literally has XSS protection built into it, meaning the developers had to deliberately go out of their way to make this exploit possible.

God, the absolute leveling that this guy does is addicting. This guy feels like one of those parents that would go: "Yeah, school sucks, heres why it sucks-"

They use React and still got an XSS issue?! That's honestly unforgivable.

Someone, please make this man a Discord Mod. He does figure out more than discord itself.. Hats off man. Love from India

Fun fact. Changing your password doesn't always work. I actually once got hacked on Discord, and instantly changed my password the moment I knew what had happened. Before the scammer even had a chance to do it themselves. They still got control of my account. Next level tomfoolery indeed.

NTTS is a youtuber I actually like to watch nowadays, even tho its about subjects I don't even know much about or affects me

Why don't we create a script that generates tokens and sends them to all known token saving sites? Fill up their databases and have them be less effective

I've heard Twitter had a self-retwitting script that works just like this, but that was several years ago. Can't believe this still happens

This seems to be a monthly thing now. Just don't click links. Simple

I appreciate you making these videos. I love waiting to get into a MW2 match and watching discords biggest mistakes.

This is as good as a reminder to everyone to SANITIZE YOUR INPUTS.

I’m honestly astounded that in 2022, Discord of all companies managed to accidentally create an XSS exploit.

Discord messed up??!?! No way! Impossible!

Thank you for sharing this important information about the Discord NFT scam link. Your video is helping to educate and protect the community. Keep up the good work in raising awareness about these types of threats

there should be (again) in the title 😂

Thank you for bringing this to light. You’re one of my favorite KZbinrs

Discord try not to create a security vulnerability with every new feature challenge (impossible)

NTTS, you covered this so well! * I don't feel sorry for the idiots that have a lot of money I guess.

The only vulnerability that's more unforgivable than XSS is SQL injections... That this happened to a big company like Discord is even worse...

Looks like $800K wasn't that much for Discord, they should be again fined

Thanks for letting us know man, I hope you stay safe out there

I'm happy that I never fell for this scam because I got a lot of these DMs but I just ignored them.

Hey, I have been watching for a long while, and I only now just realized that I was never subscribed! Your videos have always been recommended to me :)

Following this logic, the next exploit is gonna be "someone accidentaly typed 'DROP DATABASE discord' oops"

I found someone that’s been doing this to get people’s tokens and selling their tokens since the QR code scam, I’ve always thought this was possible but never had a sample to work with like you did, good job man!

damn bro thats crazy, they only did a minor felony this time?

Thank you NTTS for a birthday gift that is this video

i didn't even know what this was called but as soon as i saw the html i knew exactly what was going on. like no way did they let you just write html in a text description like that

As someone that is still learning web development, this stuff kinda scares me. My knowledge on network security as well as vulnerability detection is not that much yet.

This is why you gotta set your CSP headers. Even if somebody messed up the actual code itself, a good CSP will stop it from actually doing any harm!

Your videos are getting better & better! I follow you since you had 50k subs. Great job!!

A few years ago a security researcher found an XSS vulnerability in TweetDeck and used it to make the only self retweeting tweet.

man, the last time I saw such a major and easy xss vulnerability was xss in tweetdeck 8 years ago. and that was just a self-retweeting tweet. such incompetence.

my face when discord's website is vulnerable to the simplest Cross site scripting imaginable.

The moment I hear "This was against NFT groups" I immediately agree with the exploiters

Im gonna sleep very well tonight knowing that NFT are losing money again

Keep slaying no text to speech

That cherry server really went through a lot of pain mainly thier owner🤣🤣🤣

Fantastic video to inform us all about it but to be honest if you just stick to the rule of never clicking on any links before asking around or anything is the safest way to go Do not let your curiosity or greed get the better of you as those are usually how you fall for any scams Always ask yourself what could happen or simply why do I have to click on something someone sent me in dm which I have never spoken to before. Always have a certain level of distrust as come on this is the internet unless you know them personally irl you should always that certain level of awareness as anything could happen such as even your best friend on internet for years could turn on you for personal benefits

i’m genuinely surprised this was overlooked, literally no validation checks or encoding on the html to make sure that scrips aren’t being executed.. it’s unsurprising coming from discord though

Thanks for the information, Shared in my discord server

This shows how little testing they have. If they'd had more testing, especially for such a simple webpage, this would have never made it to live. Xss is very simple to prevent and, as many people have posted many times before, is very simple to escape a user's input. Apparently Discord doesn't know/follow the "never trust user input" rule. Also, with Discord being as big as it is, you'd think they'd do vulnerability testing that would have told them about this problem long before it got out of dev.

Spectacular analysis. Thank you!

brainfart: could people theoretically spam the blueh and/or hawkemedia links with fake/random tokens via scripts to throw some sand in their gearbox? obviously not all from the same IP so it's not as easy for them to filter out. they'd have to figure out if the tokens they collected are actually valid, and i guess would be kinda pissed if 99% aren't lol 🤔

I think what's crazy is that people are just now figuring out about this exploit which has actually been around for nearly 2 years now. Also most of the people hijacking accounts are focusing on people with og or "leets" for username and account age so that they can keep it and or sell it. A "leet" would be a username like root#0001 for example.

I really hope you get to be a discord mod. You do more than the discord staff at this point. PLEASE LET ME BE YOUR KITTEN 😳😳😳

Sucks that it happened, but at least it was a bunch of crypto nerds and not actual human beings

To be honest, I'm not even suprised anymore that Discord has another exploit. If they fix one, someone will find another one 😅

A friend of mine lost his account to this. Luckily we were able to recover it, but it was scary for a while there.

It is possible to do a lot of input sanitization, CORS policy changes and CSP changes to circumvent a lot of XSS, but in the end you probably won't get everything. Hackers will reverse a site and try to find a bypass to the filter you set in place. It isn't necessarily Discord's fault because it took hackers this long to discover it. It just goes to show that nothing you do as a security researcher and engineer will truly patch a vulnerability fully, but instead just makes it harder for a hacker to exploit it. Discord does have a bug bounty, but if crypto scams will yield more money than the reward money from the bug bounty, it makes more sense for hackers to exploit it rather than responsibly disclosing it.

Where's my "I love you bye bye!" 😭best part of your videos.

This is why it's a good idea to use Element instead, Discord just keeps on getting these weird instabilities.

I can't believe that discord forgot about it! It's legit on the OWASP top 10 web app vulnerabilities. A lot of these big companies forget about web app security 101 and it's sad.

This is why I stay logged out in my browsers

these security exploits are really making guilded look like a feasible option

This is why you don't click links. Even if it's from someone you think you know, try to engage them in a conversation (esp if you haven't heard from them in a minute); if they talk different than normal, you know

that's crazy. well on the slightly bright side, at least it's fixed now...

This happened to me. I got offered to be paid to "test" a service or something similar and be invited to a server. I just simply ignored those DMs. They were persistent and would try one or two more times, I still never clicked on them.

i remember when tweetdeck had a xss self retweeting tweet a long time ago. How so many people don't see this issue with their websites is crazy to me

I actually had my Discord account stolen a while ago - after signing into what I thought was a Discord page. They changed my password (which is how I learned that the account was hijacked). They deleted everything, logged my account into a bunch of random servers, then game my account back. When I contacted Discord, they told me that it was impossible for my account to have been stolen. After I got my account back (no help from Discord on this front, since they insisted that it wasn’t even possible), I asked them if they could tell me where my account was accessed from. I never got a reply back from them. I found out on my own, using Discords own tools, what countries (yes, more than one) my account had been accessed from between the time it was stolen and the time it was “returned”.

So glad I've been sick the last few days

Whoa! Some classic XSS just became a 0-day on Discord. How unexpected! 😂

Another day, another scammer heist. On Discord ofcourse!

That with the worm is talked about with interview on darknet diarys

im not a security engineer or anything, but didnt this exact same thing happen with Flash? Like this is one of the most simplest things to avoid.

it’s insane discord never patched this, i literally used it in 5th grade to mess with my friends on websites they made

You should really look into being a security researcher, great work!

really cool video! can you tell me what explorer do you use? or what theme do you use to make it look that way? i been trying to find a cool browser and yours is really cool.

"Discord messed up server discovery" - i already thought about xss

Stealing a Discord token is incredibly bad. If you lose the token and the recipient has any sort of scripting set up, you can expect to have the entire account stolen inside of 30 seconds. I'd fallen for a phish where I was asked to test a game distributed over Itch. It stole my Discord token from my Discord desktop client, logged me out, and closed the client. And despite having 2FA on my account, I was unable to log back in again, as the token thief managed to strip 2FA AND change the password AND change the email address on it. Without any sort of request for 2FA tokens from my phone or passwords. I'd asked Discord support over Twitter for assistance, and they'd reverted the email address back to mine... but presumably the token never got reset or the token stealer was still running on my machine, because it was stolen and yanked away from me yet again. And yes, I was a paying Nitro user with saved payment information. Thankfully, because I paid via PayPal, I was able to tell PayPal to never send any money toward Discord and saved myself ~US$150 of fraudulent purchases.

Wich Browser are you using? It Looks so cool with the rounded edges

That’s really really bad. The fact that this is even a possibility in this day and age is insane

i feel so bad for the people who had their accounts stolen but holy fuck is that funny lmao. It's such an easy thing to fix and I don't know how it's ever a thing in 2022

The junior developer who wrote that: oops.. 👀

Even I, someone who makes tiny Github websites with no actual security risks, patch XSS. How did Discord forget?

With modern JS frameworks the threat of XSS is lessened. React makes it obvious when you might have issues by making you type out "dangerouslySetInnerHTML" when you're doing something that is likely dumb. In React if you pass a "" to anything else it will be interpreted as text. This makes developers less aware of threats because XSS hasn't been a concern to them, until there's SSR and the browser is no longer told to interpret "" as text but it looks like it should be an element. It's super simple to avoid, but at the same time it's easy for developers to forget that it's a concern.

the light mod thumbnail BRUHHH

This might be a really stupid question, but why do Discord Tokens exist? Most scamming attempts seem to try and get your Token. What do we need it for? Cant we just always have our account bound with username password and 2fa?

Bobby Tables would be proud... or maybe disappointed.

Well it's like some say "one's man's trash,another's trash"

What did you do to your firefox to make it look like that? the coloration of boxes and lines around the tabs to be specific.

Funny how I got a discord ad at the start

8:12 bro became a discord kitten 💀

What one could do in case of these dead ends mentioned in the video, it is always possible to look where the servers are hosted and what they are doing with them. ping, traceroute and nmap are your friends.

Sometimes, it's the implementation of XSS prevention which is vulnerable. There was evidence of existing XSS prevention in the audit that was made. Don't flame them too hard.

Does Discord not have a blue team? It sounds like they don't from the presence of these scams and exploits.

Coool, I

I see everyone hating on discord. I am a bug bounty hunter and we gotta understand that all of us are humans, everyone makes mistakes, way bigger companies are getting hacked daily with way stupider vulnerabilities and you gotta remember there are millions of places where you have to check for vulnerabilities. Of course it sounds stupid that it had such a stupid vulnerability because it was found and sounds like ‘holly shit everybody could find it’ it’s actually not working like that 😂

Your discord token will automatically change within 6-8 hours I think or maybe 12. It doesn't stay the same forever. They can send automated requests using that. But they can't change your password or access the full discord account. Unless they know the Server ID, Channel ID in which they want to send the message in. So they would have that info probably of only one server in which you were with the guy that sent you the link.

Idea: use python / Java scripts to spam send http requests with BS tokens to make it so they have to check each

I've been using that new string type quite a bit lately. It's very useful.

Wow I was wondering all the warnings saying not to click links lmao

I was around the hacking space when this vulnerability was found. My friend tested it on me and we thought it was a cool little gimmick but nothing worth using against anyone except enemies. That was 6 years ago I believe, if it’s really been this long and they haven’t patched it, that’s extremely sad. Honestly a low level exploit as well.

I’m amazed this could happen

You can use burp suite to check what it is doing in detail

Why does the outro always catch me off guard?

bro’s channel is Discord News now lmao

Crazy bro these days you just gotta click on a invite link and meanwhile u don't even know ur already fucced 😂

It's stupid that Discord did that, but it is also astounding that redux put the vulnerable code on their website, with only a comment in the snippet saying "hey check this link for security issues", instead of including the two function calls that make it safe. And then I wonder why Discord server side renders/ templates it in there in the first place, js can access the query param itself... Truthfully as a developer I have to say that unfortunately I have had many less than competent colleagues, and combined with pressure and negligence from management that has lead to very similar and worse issues a number of times. These issues don't come out of nowhere.