1. Do not harass the bot developer. Yes, he didn't say thank you, but he did fix the issue quickly. Harassing someone because of poor manners aint the move. 2. The vulnerability is patched, please stop asking me how to hack into captcha.bot. I will never make a video on a live vulnerability because some of you are rascals. and finally, I was told that people are asking other bot devs if their bot is safe and linking this video. That is perfect, that's the goal of these videos. Whether it's a one man team or a big company, people will exploit discord bots and use it to ruin people's communities or scam a bunch of people. And everyone getting a little scared of eva, and double checking the security of their bots, is going to make the community a better place. (Even if it means I have to burn my bridges with bot devs that disagree).

How are these bots so hilariously insecure? The fact everything could not only be done so easily but also all within the browser's DEVELOPER TOOLS is a huge problem.

All those recent exploits discovered in bots is why I keep stressing to people to properly setup their servers and not blindly give bots permissions they don't need. Thank you for bringing light to these exploits, hopefully this pushes people to stop blindly trusting bots and for devs to be more careful with security

this guy needs a lesson on how to properly protect his API endpoints... hilarious

Having this little protection is shameful. There is a complete lack of basic security measures...

As someone who has dabbled with a bit of bot development here and there on Discord, I have seen so many examples of other developers who think they're too good and too big to acknowledge other people around them - especially when it's criticism or feedback. Not surprised at all that Dark ignored your DM and I can guarantee that had you sent it from your NTTS account he 100% only then would've bothered replying.

As a Cybersecurity Student, that was the shitiest security that I have ever seen in my whole life 💀

As a full-stack developer I can confirm that this is so amateur and unprofessional, no-one should trust a single product from this developer EVER. Remove captcha bot from your servers rn.

I'm not surprised that Dark was unresponsive after you basically saved his bot from destruction and chaos. Every interaction I've had with him (through the Arcane server), he has been cold and narcissistic. I don't know if that's how he actually is IRL, or if he gets a lot of messages per day and can't keep up with them, but he does not seem like a very good person in my opinion. I am glad that he fixed this huge vulnerability, and I can pretty much guarantee that any mention of this in any of the servers he owns will be met with a timeout or something of that sort. I mentioned the word "bot" in the Arcane server and got muted for 5 minutes for "advertising" as he told me.

xyzeva causally finding vulnerability in security bots 💀

"am be so so wuh a bo" such wise words from the owner...

Some servers really are set up horribly, one time, I saw a server where for some reason the owner role, with all perms, was under the member role, which everyone has, and also has perms to manage roles, so if literally anyone looked at the roles, which the member role also has perms for, they could've easily just given themselves owner and destroyed the entire server before the real owner got on.

these recent vulnerability videos have really given me insight on how even the biggest bots can be taken advantage of

Absolutely disgusting move by the bot owner.

okay so heres the thing, firstly a super big thank you for makeing those videos secondly i get that the dev might have had a bigger thing to work on than responding to you when they first saw it and im happy they did fix it so fast but a "hey we fixed it thanks for saveing our butt here" wouldve been nice

I don't think I could've resisted the intrusive thoughts tbh. Good on you, dude lol.

We would be doomed if NTTS started his villain arc.

Once again, thank you for keeping us safe on Discord, NTTS! Shame Discord don't have an employee to do this.

You can always go the middle route: Sell the vulnerabilty but also tell the owner about it

this is epic, guilded is finally getting the attention is really needs, this is poggers

"Wait a sec you're not the owner.." "Yes i am" "Come in!"

This is the reason I like to troll the help pages on Dark's Discord server. It makes him waste his time on stupid things that takes his precious time off. I feel no remorse for Dark whatsoever

NTTS Started his own villain arc confirmed 100%

Incredibly informative. As an indie dev who's also a cyber security freak and borderline paranoid this was such an interesting video, I always knew role order was important but I didn't also necessarily know it could act like an escalation hierarchy... I LITERALLY paused at 6:41 JUST to go update my server's roll order 🤣🤣 Thanks as always NTTS, keep up the great pen testing and the great work 🔥💥💥

Eva and no text to speech are really helping people on this. the hero's we need.

I just finished watching this video, and decided to check a few of the bots I have used on servers I own/co-own, including paid, free, and trial bots. It takes a bit longer than this, but some very popular bots(not gonna name them) have some major issues very similar to this one. I tested a method on a server I am friends with the owner on and managed to(after creating a backup server so people wouldn't lose everything) completely wipe the server in the span of 8 minutes. People really need to hire some kind of white-hat to double check that things aren't as hilariously undefended as this was.

That is the most pathetic thing I ever seen, like imagine ghosting the guy that help you find a security problem in your code, like imagine this happened again. I'm sure NTTS knows this abt stuff or he knows someone knows this stuff, imagine being so egoistical and risking ur career

Good for you for making this issue recognized instead of doing evil with it! :D

So now NTTS teamed up with hacker-cat-girl pfp and we're getting more videos like this ? love it

Bro how are you on like 200 subs?? When i saw this vid i didnt notice the likes and thought hou must have had like 5k subs man Keep making these vids man! im always into the unpacking stuff💪💯

At this point, bad security by discord bot devs doesn't surprise me anymore. The bar to making a bot is so goddamn low that incompetent people make bots that get too popular for their own good.

Security Problems in Discord Bots? You're... the One Legend.

im starting to think eva is an AI, they have found ways to do this with so many bots lmao

My years of development experience in Web Applications taught me how terrible web app security system design are. So many developers just focus on finishing the app instead of protecting it from vulnerabilities and implementing some good tier security precautions. There's a world after sign-in page but sadly most developers dont care about that 😢............

This shows us very well how life slaps you across the face for just being nice and the least they could've done is a thank you, but apparently thats too much for some people.

Seeing this makes me glad that I went through the trouble of attaching this one bots permissions to each relevant Channel instead of giving it the blanket permission.

Can you cover the new mobile layout and how to revert to the old layout? It's absolute ass and makes me happy to be legally blind

Man, you are a real hero! This made me so proud and insipred. Well done bro.

no announcement could mean some servers don't notice the bot handing out the wrong roles for a little while

6 seconds into the video and I have to pause to replay it, I was not prepared for this start.

Bro went from making videos about discord news to becoming a hacker, well I wasn’t expecting that

I LOVE THIS. I can spend hours finding vulnerabilities or bypasses like this :). I wish I could do this as a full time job

This escalated so quickly.

The only solution in my opinion, is making a private owner panel and move the api /guilded there. The owner panel and it's api endpoint will be connected to the database locally and they could add a login check with the owner's discord account. Trust me, I've done this for a website I own and it's a very good security. Like, who'll try to come at your house, try to guess your pc's password/pin or whatever you have, find the hidden owner panel and try to get in with your discord account?

NTTS you giving here a good example of people who doesn't give a shit about safty, you did your thing and i proud of you its his problem

0:05 “Among us sussy ball” hit different 💀😭😭

Welp time to raid some Discord servers. 💀

Bruh, you can definitely protect Vue routes in other ways! And also there should always be an API level securities e.g. protected endpoints based on roles, not by user ID even! Anyways, we need more ethical volunteers to check for stupid vulnerabilities like this... All developers are human beings, they can definitely make mistakes, it's not a thing to feel shy about. Therefore, let's put our hands together to fight the criminals who actually takes advantage of these mistakes... Thanks to NTTS for this awareness video!

This is why I don't trust security bots.

8:41 “Pookiemane please return my calls” made me rolling on the floor😂

To be ethical or not to be. As soon as you have a good intention, you literally get shit on by life. Honestly, you shouldn't have given away the exploit without getting a response from him, or a bug-finding contract. This kind of vulnerability should have been rewarded. If I made a bot and such a vulnerability was discovered, not only would I thank the user who found it and didn't abuse it, but I'd also try to pay for it or give away premium benefits. What a rat. Translated because i'm not ca or us, just a baguette.

In my experience, frontend developers don't seem to understand security. I once saw a frontend developer generate jwt tokens on the frontend, which means the secret had to be in the frontend, which means the secret isn't a secret anymore, which means no security. Might as well just create a big button labeled "hack me"

The amount of trolling that will be done is devastating

just imagine this man going to his villain arc, it won't be pretty...

don't worry, if he was that careless and clueless about security on that matter, he probably has a lot of other holes to patch

5:18 YOU HELPED ME FROM THAT UTTER GARBAGE HACK!! TYSM

This also brings to to the question how many other captcha bots are affected by this same exploit.

NTTS could at any moment become discords biggest and most notorious hacker yet he chooses to be a white hat hacker. I tip my hat to you

I…might have to see if I can hire Eva to do a vulnerability check on a project at some point…

I wonder if most bots have this exact issue with a similar result after making it think you're the owner and some devs are just too lazy to patch it if they hear about it.

crazy how this guy doesn't even protect his api endpoints

*Plants C4 on bank vault "Hey, stop! This is security!" "Chill, I'm the owner, trust." "Oh, ok, I gotchu"

0:04 says "Among us sussy ba-"

I reversed the reversed audio, and it said: "Among Us Sussy"

A hacking tutorial 💀

0:04 the reversed voice says, "Among us sussy ball-"

Waiting for NTTS's video on the new discord update with the interface

This man is an inspect element wizard, and my role model for inspect element.

Disgusting behavior. A ‘thank you’ from his response would’ve really shown that he at least cared a bit. Sometimes it just doesn’t pay to have morals. I would have made an airdrop in an NFT server then have drained their wallets.

this man could be making millions by just straight up hacking and he decides to do discord videos, respect

he said “among us sussy baka” at 0:05

A naked man fears no pickpocket.

NTTS, idk if you still read comments, but are you aware how discord is forcing mobile users to use new ui To explain, now if you change the ui, you CANNOT change back to old ui (im forever stuck in new ui purgatory. Send Help)

I did this on my friends 4 months ago a month before u uploaded this, And they laughed so hard they told everyone. thats how this vid was made.

To anyone wondering, similar bots exist on whatsapp too. Those bots have a lot more serious vulnerabilities tho (i.e RCE on host machine).

this video was packed with information, yet so easy to follow!

As a Developer, hacker, consultant. You would be suprised at how many of these APIs are vulnrable to this exact issue. To many developers think that frontend verification is secure. Completely ignoring anyone could send requests directly to the API. And tbh, 99% of these issues come from Javascript developers. They have no idea about secure backend programming. Discord had the exact same vulnrability in their APIs, last year people discovered a new API for model popups, it was completely undocumented and wasnt supposed to be public, but even discord doesnt put propper authentication on their APIs.

6:30 bro was about to go on his villian arc 💀💀💀

"But when i told the owner he said obby sussy mama"

i just want you to know that if I was in your position, I would be an absolute menace but I appreciate your ethics even if they don't reflect my personal views

Why does everyone do authentication _client side?!_ Like, seriously, that's the oldest mistake in the book!

Alright, Batman. Finding HUGE security issues and *not* doing any harm has to take some restraint.

This escalated quickly.

The reversed speech at 0:05 is "Among us sussy balls".

1:51 VOOO 😂😂 its pronounced "view"

This man alone is a threat that cannot be described with words to discord-💀

Jesus... are these bots written by 12 year olds? Have they heard of doing authentication on the backend?

love your vids man

It's pronounced as VIEW NOT VUUUU I'M DYING

This is like multiple cardinal sins: 1: pushing debug tools to production 2: CLIENT SIDE VERIFICATION (????) 3: UNPROTECTED ENDPOINT (????????????)

How to get those dev tools? (0:46)

This is literally like going to someone house, knocking on the door and they ask who are you, you say its "me", the very memorable and handsome guy and they let you in

0:24 where is contain part Between secure and protect?💀

Bro has the power in his own hand and shared it

1:52 OMFG He pronounced "Vue" incorrectly, as a web developer I'M OFFENDED 😭😭

funny how i see the ad of a nuking bot before this video 💀

Literally the least he could've done was say "Thank you." But I guess when someone runs the "most secure" bot, they still have an ego regardless.

this seems very legal and not abusive at all, ur a pro white hat hacker man fr !!!!!!!

I can't believe the owner said the N word

some time ago you made a video to make your own music bot, in case you find other "selfmade" bots like a reaction role bot and others it would be great if you could make a video about these or atleast recommend them.