1. Do not harass the bot developer. Yes, he didn't say thank you, but he did fix the issue quickly. Harassing someone because of poor manners aint the move. 2. The vulnerability is patched, please stop asking me how to hack into captcha.bot. I will never make a video on a live vulnerability because some of you are rascals. and finally, I was told that people are asking other bot devs if their bot is safe and linking this video. That is perfect, that's the goal of these videos. Whether it's a one man team or a big company, people will exploit discord bots and use it to ruin people's communities or scam a bunch of people. And everyone getting a little scared of eva, and double checking the security of their bots, is going to make the community a better place. (Even if it means I have to burn my bridges with bot devs that disagree).
How are these bots so hilariously insecure? The fact everything could not only be done so easily but also all within the browser's DEVELOPER TOOLS is a huge problem.
I finally understood why dumbasses politicians wanted at one point to block the inspect page... Wait, no they just are incredibly dumb and if they catch a glimpse of dev tools they will completely loose their mind lmao
@@VaultCordIt's the law to disclose data breah, bots' owner not following it (or the ToS) is not Discord fault - but Discord is at fault for not going after them after that through.
All those recent exploits discovered in bots is why I keep stressing to people to properly setup their servers and not blindly give bots permissions they don't need. Thank you for bringing light to these exploits, hopefully this pushes people to stop blindly trusting bots and for devs to be more careful with security
I had a server where bots have different functions, but these bots only had access to the channels they should have access to. For example, no access to #general or #moderation.
@@LiggliluffThat's pretty much how I do it, if it doesn't need to view a specific channel then it's restricted from it, if it only needs to read and not talk it won't have send message permission except for logs channels, etc
#1 advice i can give. Don't use bots. Bots are fully automated without human input when it comes to authentication. The best security you can do, is have active HUMAN staff members in your servers. I get the appeal for bots, but if you bringing them in from a third party, you are literally relinquishing control to someone you dont know if you can trust or not. Weither if the properly took the percautions. So, set up your discord and manage it yourself.
@@ItzPubby I wouldn't say that's a good advice, bots are helpful when used right especially when you have a large server or want to setup something specific, the issue is people are too lazy to set up bot properly and just gives it admin so it does its job, they don't organize their server roles properly, they don't disable bot features they don't need and don't restrict the bot accesses to what it doesn't need, they don't know how to look for the signs that a bot isn't made properly (such as its invite auth link requesting admin perms in any capacity). Sure if you're running a small server you probably don't need a bot, but they're a good tool and people needs to know better when using said tool.
@@toydotgame so if you are not a web dev, don't comment on the matter, authorization headers are completely fine and pretty standard for many applications
As someone who has dabbled with a bit of bot development here and there on Discord, I have seen so many examples of other developers who think they're too good and too big to acknowledge other people around them - especially when it's criticism or feedback. Not surprised at all that Dark ignored your DM and I can guarantee that had you sent it from your NTTS account he 100% only then would've bothered replying.
As a full-stack developer I can confirm that this is so amateur and unprofessional, no-one should trust a single product from this developer EVER. Remove captcha bot from your servers rn.
Verification etc. should be done on the backend and be a little more secure than just sending _any_ auth header. It should verify the auth header that it's actually the owner and probably a lot more. I even have such a login on my website, but you need the right password and username to get logged in and _then_ it just sees "Logged in? Okay, here's your perms!", because I am the only user account there. And eventually I'll replace that with a third-party OAuth login instead of an own one.
I can't even tell how it'd make it any easier. They clearly know the account to give the server to, so all they have to do is put the if (user is not me) check in there. Sure it can be put in the client side too, but just one line in the server side would have been enough to stop it.
It's a very amateur mistake so I wouldn't credit too much here, this should have never worked had this been done by someone with more than 1 year of experience.
@@unearthlynarratives_even somelne with 1 month of wxperience shoudn't make this mistake. As soon as you know that anyone can send stuff to your server, you should see how this is shitty security
I'm not surprised that Dark was unresponsive after you basically saved his bot from destruction and chaos. Every interaction I've had with him (through the Arcane server), he has been cold and narcissistic. I don't know if that's how he actually is IRL, or if he gets a lot of messages per day and can't keep up with them, but he does not seem like a very good person in my opinion. I am glad that he fixed this huge vulnerability, and I can pretty much guarantee that any mention of this in any of the servers he owns will be met with a timeout or something of that sort. I mentioned the word "bot" in the Arcane server and got muted for 5 minutes for "advertising" as he told me.
@@verytuffcat Dark is the only bot developer I have ever directly interacted with, so I can't speak much on that, but I wouldn't be surprised if the reason they seem cold is because they just get an onslaught of friend requests and DM requests. I would imagine it would be stressful to have to deal with all of that. I'm not excusing Dark's actions as he could have at least said thank you, but there might be multiple reasons why he didn't respond other than he's a duchebag. I still think he could be nicer though.
@@Gandalf_Potter00influencers and developers get insane dms and friend requests all the time lol, but not all of them are narcissistic. these type of people are just inherently like that, and the fame is just feeding it
Some servers really are set up horribly, one time, I saw a server where for some reason the owner role, with all perms, was under the member role, which everyone has, and also has perms to manage roles, so if literally anyone looked at the roles, which the member role also has perms for, they could've easily just given themselves owner and destroyed the entire server before the real owner got on.
LOL forget about bots, or even Discord, try to search how many vulnerabilities people have discovered in the major cloud computing providers (AWS, Azure, etc.).
Take active steps to protect yourself, you cant let other people do it for you. If you want the server safe and to have these types of security you need to go through and do it properly. the best thing you can do, is be as secure as you can from your end.
@@ItzPubby Do you know what you're saying... thing is, bots like Captcha bot have already constructed databases which can help find alts; this is not something you can just "acquire".
@@verytuffcat So basically the thing stores a number of IP addresses and other characteristics pertaining to a number of "devices" for every Discord account that goes through it, so if another account shares anything in common it is considered to be a possible alt. Yes, it can have false negatives (e.g. the person changes their public IP address) and false positives (e.g. the person is on a public Wi-Fi).
This is the reason I like to troll the help pages on Dark's Discord server. It makes him waste his time on stupid things that takes his precious time off. I feel no remorse for Dark whatsoever
Selling it to an interested party and having the vulnerability be patched before they use it will raise eyebrows and may be answered with lead or certain types of salts. You'll also never sell something like that again because your name becomes dirt, for both parties. It's a sure way to shoot your own foot off and risk losing family/job or life insurance.
That is the most pathetic thing I ever seen, like imagine ghosting the guy that help you find a security problem in your code, like imagine this happened again. I'm sure NTTS knows this abt stuff or he knows someone knows this stuff, imagine being so egoistical and risking ur career
okay so heres the thing, firstly a super big thank you for makeing those videos secondly i get that the dev might have had a bigger thing to work on than responding to you when they first saw it and im happy they did fix it so fast but a "hey we fixed it thanks for saveing our butt here" wouldve been nice
To be ethical or not to be. As soon as you have a good intention, you literally get shit on by life. Honestly, you shouldn't have given away the exploit without getting a response from him, or a bug-finding contract. This kind of vulnerability should have been rewarded. If I made a bot and such a vulnerability was discovered, not only would I thank the user who found it and didn't abuse it, but I'd also try to pay for it or give away premium benefits. What a rat. Translated because i'm not ca or us, just a baguette.
I think NTTS makes a good amount of video legally through YT. Probably why he leaves this stuff for other people to make the choice. But not responding doesn't sound like they tend to pay bug bounties. a good team would have probably offered it.
even ignoring ethics this is just stupid. if you know you get paid out and don't need to fear legal actions if you point out vulnerabilities, you'll probably do it. but if you know you will just be ignored but could instead exploit it to make some money, a lot of people wont care about ethics and decide to exploit. it's just proof for anybody that you'll gain much more from exploiting his products. that's just stupid and for all of his customers you can just hope that no bad actor is going to find something.
She does hobby pentesting according to her homepage. And her git shows activity in regards to malware/pentesting and most importantly silly block game.
Incredibly informative. As an indie dev who's also a cyber security freak and borderline paranoid this was such an interesting video, I always knew role order was important but I didn't also necessarily know it could act like an escalation hierarchy... I LITERALLY paused at 6:41 JUST to go update my server's roll order 🤣🤣 Thanks as always NTTS, keep up the great pen testing and the great work 🔥💥💥
I just finished watching this video, and decided to check a few of the bots I have used on servers I own/co-own, including paid, free, and trial bots. It takes a bit longer than this, but some very popular bots(not gonna name them) have some major issues very similar to this one. I tested a method on a server I am friends with the owner on and managed to(after creating a backup server so people wouldn't lose everything) completely wipe the server in the span of 8 minutes. People really need to hire some kind of white-hat to double check that things aren't as hilariously undefended as this was.
This shows us very well how life slaps you across the face for just being nice and the least they could've done is a thank you, but apparently thats too much for some people.
At this point, bad security by discord bot devs doesn't surprise me anymore. The bar to making a bot is so goddamn low that incompetent people make bots that get too popular for their own good.
My years of development experience in Web Applications taught me how terrible web app security system design are. So many developers just focus on finishing the app instead of protecting it from vulnerabilities and implementing some good tier security precautions. There's a world after sign-in page but sadly most developers dont care about that 😢............
I like the switching between severs and dms, but I absolutely hate the new search and how I can't just type from:someone without it trying to do some Google type of stuff
The only solution in my opinion, is making a private owner panel and move the api /guilded there. The owner panel and it's api endpoint will be connected to the database locally and they could add a login check with the owner's discord account. Trust me, I've done this for a website I own and it's a very good security. Like, who'll try to come at your house, try to guess your pc's password/pin or whatever you have, find the hidden owner panel and try to get in with your discord account?
I think you meant "/debug", not "/guilded", but a simple auth flow ought to be enough (what we saw in the video was Dark putting it "where nobody will go looking for it", a "very good" "alternative"!!! 😂).
I wonder if most bots have this exact issue with a similar result after making it think you're the owner and some devs are just too lazy to patch it if they hear about it.
Seeing this makes me glad that I went through the trouble of attaching this one bots permissions to each relevant Channel instead of giving it the blanket permission.
@@thewitchidolsachika6682 in discord the only updates shown in the video is they moved around the roles, theoretically if someones already in they could change it back. Unless NTTS didn't show what was further changed.
Disgusting behavior. A ‘thank you’ from his response would’ve really shown that he at least cared a bit. Sometimes it just doesn’t pay to have morals. I would have made an airdrop in an NFT server then have drained their wallets.
Bruh, you can definitely protect Vue routes in other ways! And also there should always be an API level securities e.g. protected endpoints based on roles, not by user ID even! Anyways, we need more ethical volunteers to check for stupid vulnerabilities like this... All developers are human beings, they can definitely make mistakes, it's not a thing to feel shy about. Therefore, let's put our hands together to fight the criminals who actually takes advantage of these mistakes... Thanks to NTTS for this awareness video!
@@sattlerdevelopment Yes, truly it can be a secure option if you can sanitize website's input cases. Even with user ID, you can add better defences for this kind of XSS attacks. You can add some sort of Server authentications and stuffs (as I noticed the website only authorised the "hacker" by what it sees from the browser's perspective, meaning it's an exploit that can completely be done from the frontend). You can also add Public IP address checking (i think) to notify the developer that an unknown device is trying to connect to the admin portal...or smth like that idk. Either way, there are a lots of measures you can take. (Thanks for the callback, I just didn't think of that exploit.)
As a Developer, hacker, consultant. You would be suprised at how many of these APIs are vulnrable to this exact issue. To many developers think that frontend verification is secure. Completely ignoring anyone could send requests directly to the API. And tbh, 99% of these issues come from Javascript developers. They have no idea about secure backend programming. Discord had the exact same vulnrability in their APIs, last year people discovered a new API for model popups, it was completely undocumented and wasnt supposed to be public, but even discord doesnt put propper authentication on their APIs.
It's certainly a js issue. Tons of js frameworks bake back end into the front end like react and nextjs. There's a level of abstraction that non system engineers can't really understand because they think they're writing back end code but it's actually running on the client. It's like giving them a notepad with all your passwords to everyone who visits your website.
In my experience, frontend developers don't seem to understand security. I once saw a frontend developer generate jwt tokens on the frontend, which means the secret had to be in the frontend, which means the secret isn't a secret anymore, which means no security. Might as well just create a big button labeled "hack me"
NTTS, idk if you still read comments, but are you aware how discord is forcing mobile users to use new ui To explain, now if you change the ui, you CANNOT change back to old ui (im forever stuck in new ui purgatory. Send Help)
yup. this is why I always set up bots below mods/andmins and above janitors. bots can only be trusted to delete messages and give roles that have no real perms under them.
from what i've seen (at least on this channel I don't really use bots in my servers at all, and the bots I do use are like, music bots which only need like 1 permission). Most bot developers don't have experience with an internet facing service. If the debug endpoint is there just for debugging other servers just incase there's an issue, why not just have it to where it can accept any ID and auth token, but on the backend it checks if it's the correct user. The code is right there in the page source, it just checks if the userID is the ID if the owner of capture bot, and just doesn't show it if it's not...the actual call doing the debug mode just does it, no other prior checks beside if the guildID is a valid id. What should've been done is, A. don't hardcode the user ID into the check for the User ID someone could just spoof it by just copying it right there B. do other verification on the actual backend. it could be a whole thing where first it sends the request like it does in the video, but when it gets to the backend it'll check multiple things, the user ID that sent the data, what permissions it has etc etc. verification shouldn't be done on the front end.
i just want you to know that if I was in your position, I would be an absolute menace but I appreciate your ethics even if they don't reflect my personal views
1. Do not harass the bot developer. Yes, he didn't say thank you, but he did fix the issue quickly. Harassing someone because of poor manners aint the move.
2. The vulnerability is patched, please stop asking me how to hack into captcha.bot. I will never make a video on a live vulnerability because some of you are rascals.
and finally, I was told that people are asking other bot devs if their bot is safe and linking this video. That is perfect, that's the goal of these videos. Whether it's a one man team or a big company, people will exploit discord bots and use it to ruin people's communities or scam a bunch of people. And everyone getting a little scared of eva, and double checking the security of their bots, is going to make the community a better place. (Even if it means I have to burn my bridges with bot devs that disagree).
Oh
i hope he learned now atleast to not hardcode his id and to write a good api (there a propably still allot of vulnerabilities)
that's reasonable
Well, the video could still be a clue to another exploit, if such a dumb loophole existed, there are likely many more.
yes
How are these bots so hilariously insecure? The fact everything could not only be done so easily but also all within the browser's DEVELOPER TOOLS is a huge problem.
@@VaultCord its the person who created the bot's fault, the website made for his bot has lots of vulnerabilties.
I finally understood why dumbasses politicians wanted at one point to block the inspect page... Wait, no they just are incredibly dumb and if they catch a glimpse of dev tools they will completely loose their mind lmao
@@VaultCordthey do, if only you cared to read the terms of service instead of blaming them for every goddamn thing
well you don't need any proven skills or any signed legal things to create a bot
@@VaultCordIt's the law to disclose data breah, bots' owner not following it (or the ToS) is not Discord fault - but Discord is at fault for not going after them after that through.
this guy needs a lesson on how to properly protect his API endpoints... hilarious
What do you mean? Checking the locally cached ID in the frontend with no proper backend verification is totally enough. /s
Their sourcemaps are still public, btw (the "Webpack" folder). Either theirs, or their payment/subscription processor
dark is an idiot
As a non coder whats an API?😊
@@TheRealKiRBEYme work wit someone else's application via my own code
All those recent exploits discovered in bots is why I keep stressing to people to properly setup their servers and not blindly give bots permissions they don't need.
Thank you for bringing light to these exploits, hopefully this pushes people to stop blindly trusting bots and for devs to be more careful with security
ye like who puts checks, security, etc in front-end?
I had a server where bots have different functions, but these bots only had access to the channels they should have access to. For example, no access to #general or #moderation.
@@LiggliluffThat's pretty much how I do it, if it doesn't need to view a specific channel then it's restricted from it, if it only needs to read and not talk it won't have send message permission except for logs channels, etc
#1 advice i can give. Don't use bots. Bots are fully automated without human input when it comes to authentication. The best security you can do, is have active HUMAN staff members in your servers. I get the appeal for bots, but if you bringing them in from a third party, you are literally relinquishing control to someone you dont know if you can trust or not. Weither if the properly took the percautions. So, set up your discord and manage it yourself.
@@ItzPubby I wouldn't say that's a good advice, bots are helpful when used right especially when you have a large server or want to setup something specific, the issue is people are too lazy to set up bot properly and just gives it admin so it does its job, they don't organize their server roles properly, they don't disable bot features they don't need and don't restrict the bot accesses to what it doesn't need, they don't know how to look for the signs that a bot isn't made properly (such as its invite auth link requesting admin perms in any capacity).
Sure if you're running a small server you probably don't need a bot, but they're a good tool and people needs to know better when using said tool.
Having this little protection is shameful. There is a complete lack of basic security measures...
im literally not a web dev and seeing that js auth code immediately set off alarms
@@toydotgame so if you are not a web dev, don't comment on the matter, authorization headers are completely fine and pretty standard for many applications
@@kibbewaterwhat. for an app like this? Okay
@@kibbewater💀
@@Omega-mr1jg The Auth headers were not the problem, lack of handling them correctly was.
As a Cybersecurity Student, that was the shitiest security that I have ever seen in my whole life 💀
that means you haven't been in cybersecurity for very long (no offense)
@@turtleparty7241 bro doesn't know how school works
@@turtleparty7241 A year and learning (yes, its not too long imo, doing hackthebox machines rn)
@@turtleparty7241 He said he was a student 🤨
@@turtleparty7241 so someone can easily hack into a bot by using F1 and it's not the shitiest security?
As someone who has dabbled with a bit of bot development here and there on Discord, I have seen so many examples of other developers who think they're too good and too big to acknowledge other people around them - especially when it's criticism or feedback. Not surprised at all that Dark ignored your DM and I can guarantee that had you sent it from your NTTS account he 100% only then would've bothered replying.
As a full-stack developer I can confirm that this is so amateur and unprofessional, no-one should trust a single product from this developer EVER. Remove captcha bot from your servers rn.
hecker
That's what happens when you just throw everything to the front end. x)
Verification etc. should be done on the backend and be a little more secure than just sending _any_ auth header. It should verify the auth header that it's actually the owner and probably a lot more.
I even have such a login on my website, but you need the right password and username to get logged in and _then_ it just sees "Logged in? Okay, here's your perms!", because I am the only user account there. And eventually I'll replace that with a third-party OAuth login instead of an own one.
this is what happens when someone spends too much time in js land lol
I can't even tell how it'd make it any easier. They clearly know the account to give the server to, so all they have to do is put the if (user is not me) check in there. Sure it can be put in the client side too, but just one line in the server side would have been enough to stop it.
Absolutely disgusting move by the bot owner.
Shut UP !!!!!!!! 😍😍😍😍🥰🤩🤩🤩
@@zikohaha7440npc
@@zikohaha7440 you shut up
@@zikohaha7440 no
Thats messed up
"am be so so wuh a bo" such wise words from the owner...
It’s something about the word sussy Baka but in reverse
I reversed it and it said amongus sussy baka not kidding reverse the video and you can hear it too
@@Mightypehe said “among us Sussy balls” Lmaooooo 💀💀💀
Whice goat will be the next to be my subcriber🤔
@@BlueYT592 Well i'm not a goat. Maybe the next guy
xyzeva causally finding vulnerability in security bots 💀
sometimes I want people like that to point what's wrong with my stuff out, just to make them a little bit better
@@chevvvv thats what beta releases, etc. are for
@@chevvvv and then there are those companies that sue you for letting them know, even if you just accidentially stumbled upon it...
It's a very amateur mistake so I wouldn't credit too much here, this should have never worked had this been done by someone with more than 1 year of experience.
@@unearthlynarratives_even somelne with 1 month of wxperience shoudn't make this mistake. As soon as you know that anyone can send stuff to your server, you should see how this is shitty security
I'm not surprised that Dark was unresponsive after you basically saved his bot from destruction and chaos. Every interaction I've had with him (through the Arcane server), he has been cold and narcissistic. I don't know if that's how he actually is IRL, or if he gets a lot of messages per day and can't keep up with them, but he does not seem like a very good person in my opinion. I am glad that he fixed this huge vulnerability, and I can pretty much guarantee that any mention of this in any of the servers he owns will be met with a timeout or something of that sort. I mentioned the word "bot" in the Arcane server and got muted for 5 minutes for "advertising" as he told me.
almost every large bot dev is narcissistic tbh
@@verytuffcat Dark is the only bot developer I have ever directly interacted with, so I can't speak much on that, but I wouldn't be surprised if the reason they seem cold is because they just get an onslaught of friend requests and DM requests. I would imagine it would be stressful to have to deal with all of that. I'm not excusing Dark's actions as he could have at least said thank you, but there might be multiple reasons why he didn't respond other than he's a duchebag. I still think he could be nicer though.
its very easy to turn off those friend request and dms stuff its just their incompetance@@Gandalf_Potter00
@@Gandalf_Potter00influencers and developers get insane dms and friend requests all the time lol, but not all of them are narcissistic. these type of people are just inherently like that, and the fame is just feeding it
@@Gandalf_Potter00 yeah
Some servers really are set up horribly, one time, I saw a server where for some reason the owner role, with all perms, was under the member role, which everyone has, and also has perms to manage roles, so if literally anyone looked at the roles, which the member role also has perms for, they could've easily just given themselves owner and destroyed the entire server before the real owner got on.
We would be doomed if NTTS started his villain arc.
too bad he cant cause all he knows is how to get spoonfed by women
yes. and it does not help that he gets treated like shit (ignored) when helping people.
he's gonna start it someday, if he gonna keep being treated like shit
Xyzeva is gonna be his side kick for sure
he would be the one who ruins every discord sever ever
I don't think I could've resisted the intrusive thoughts tbh. Good on you, dude lol.
xyzeva is a developer on a server Im an admin on lmao
i mean you could have harmless fun, right? don't have to go destructive.
It's people like you who are the reason why problems are only made public after they're fixed...
@@erikkonstas it's a joke not a dick, don't take it so hard.
@@ectothermic Literally nobody thinks you're joking tho.
these recent vulnerability videos have really given me insight on how even the biggest bots can be taken advantage of
LOL forget about bots, or even Discord, try to search how many vulnerabilities people have discovered in the major cloud computing providers (AWS, Azure, etc.).
Take active steps to protect yourself, you cant let other people do it for you. If you want the server safe and to have these types of security you need to go through and do it properly. the best thing you can do, is be as secure as you can from your end.
@@ItzPubby Do you know what you're saying... thing is, bots like Captcha bot have already constructed databases which can help find alts; this is not something you can just "acquire".
@@erikkonstasi honestly wonder how it works tho. can you explain
@@verytuffcat So basically the thing stores a number of IP addresses and other characteristics pertaining to a number of "devices" for every Discord account that goes through it, so if another account shares anything in common it is considered to be a possible alt. Yes, it can have false negatives (e.g. the person changes their public IP address) and false positives (e.g. the person is on a public Wi-Fi).
This is the reason I like to troll the help pages on Dark's Discord server. It makes him waste his time on stupid things that takes his precious time off. I feel no remorse for Dark whatsoever
Big W
Glad I never heard of this dumbass bot
lol
Did he just hack it for fun?
Am I misunderstanding? All the dude did was not reply to him. Why harass him?
You can always go the middle route: Sell the vulnerabilty but also tell the owner about it
that's big brain time
i wouldnt even bother telling him about this, i would just look how his bot gets destroyed. he's such a looser for not even answering
just sell the vulnerability to him for 1000 dollars
Selling it to an interested party and having the vulnerability be patched before they use it will raise eyebrows and may be answered with lead or certain types of salts. You'll also never sell something like that again because your name becomes dirt, for both parties.
It's a sure way to shoot your own foot off and risk losing family/job or life insurance.
@@Yezpahr Can't be attacked if nobody knows who you are ¯\_(ツ)_/¯
Once again, thank you for keeping us safe on Discord, NTTS!
Shame Discord don't have an employee to do this.
npc
You're an Npc @@HeadlessStar 😂😝
@@HeadlessStaryou have become the very thing you have set out to destroy!!
npc activity@@SilenceBot
@@HeadlessStar *bot activity
NTTS Started his own villain arc confirmed 100%
That is the most pathetic thing I ever seen, like imagine ghosting the guy that help you find a security problem in your code, like imagine this happened again. I'm sure NTTS knows this abt stuff or he knows someone knows this stuff, imagine being so egoistical and risking ur career
Can't say for sure he ghosted him, he only gave him one day to reply. When my dms are full it takes me two weeks to read and reply to them on average
okay so heres the thing, firstly a super big thank you for makeing those videos secondly i get that the dev might have had a bigger thing to work on than responding to you when they first saw it and im happy they did fix it so fast but a "hey we fixed it thanks for saveing our butt here" wouldve been nice
To be ethical or not to be. As soon as you have a good intention, you literally get shit on by life. Honestly, you shouldn't have given away the exploit without getting a response from him, or a bug-finding contract. This kind of vulnerability should have been rewarded. If I made a bot and such a vulnerability was discovered, not only would I thank the user who found it and didn't abuse it, but I'd also try to pay for it or give away premium benefits.
What a rat.
Translated because i'm not ca or us, just a baguette.
I think NTTS makes a good amount of video legally through YT. Probably why he leaves this stuff for other people to make the choice. But not responding doesn't sound like they tend to pay bug bounties. a good team would have probably offered it.
even ignoring ethics this is just stupid.
if you know you get paid out and don't need to fear legal actions if you point out vulnerabilities, you'll probably do it.
but if you know you will just be ignored but could instead exploit it to make some money, a lot of people wont care about ethics and decide to exploit.
it's just proof for anybody that you'll gain much more from exploiting his products.
that's just stupid and for all of his customers you can just hope that no bad actor is going to find something.
P sure the owner doesn't care to fix it and knowingly just lets that be possible
@@microondasradioativoit's best not to attribute to malice, that which can reasonably be attributed to being a complete dumbass.
@@parapetcloud if he's a dumbass then he'll learn the hard way
im starting to think eva is an AI, they have found ways to do this with so many bots lmao
Obviously she is, girls are not real
AI's pretty awful at cyber security. No, this is just a decent amount of time having fun pentesting lol
NULL
She does hobby pentesting according to her homepage. And her git shows activity in regards to malware/pentesting and most importantly silly block game.
@@kacperkonieczny7333 undefined
this is epic, guilded is finally getting the attention is really needs, this is poggers
Incredibly informative. As an indie dev who's also a cyber security freak and borderline paranoid this was such an interesting video, I always knew role order was important but I didn't also necessarily know it could act like an escalation hierarchy... I LITERALLY paused at 6:41 JUST to go update my server's roll order 🤣🤣
Thanks as always NTTS, keep up the great pen testing and the great work 🔥💥💥
I just finished watching this video, and decided to check a few of the bots I have used on servers I own/co-own, including paid, free, and trial bots. It takes a bit longer than this, but some very popular bots(not gonna name them) have some major issues very similar to this one. I tested a method on a server I am friends with the owner on and managed to(after creating a backup server so people wouldn't lose everything) completely wipe the server in the span of 8 minutes. People really need to hire some kind of white-hat to double check that things aren't as hilariously undefended as this was.
0:04 says
"Among us sussy ba-"
This shows us very well how life slaps you across the face for just being nice and the least they could've done is a thank you, but apparently thats too much for some people.
Eva and no text to speech are really helping people on this. the hero's we need.
At this point, bad security by discord bot devs doesn't surprise me anymore. The bar to making a bot is so goddamn low that incompetent people make bots that get too popular for their own good.
Good for you for making this issue recognized instead of doing evil with it! :D
This escalated so quickly.
he dont understand protection LOL
So now NTTS teamed up with hacker-cat-girl pfp and we're getting more videos like this ? love it
My years of development experience in Web Applications taught me how terrible web app security system design are. So many developers just focus on finishing the app instead of protecting it from vulnerabilities and implementing some good tier security precautions. There's a world after sign-in page but sadly most developers dont care about that 😢............
Security Problems in Discord Bots? You're... the One Legend.
Can you cover the new mobile layout and how to revert to the old layout? It's absolute ass and makes me happy to be legally blind
trick is to downgrade to earlier version, disable it there, update back and never update again without confirmation that it still exists
done
I like the switching between severs and dms, but I absolutely hate the new search and how I can't just type from:someone without it trying to do some Google type of stuff
I LOVE THIS. I can spend hours finding vulnerabilities or bypasses like this :). I wish I could do this as a full time job
"Wait a sec you're not the owner.."
"Yes i am"
"Come in!"
Made me laugh 😂
NTTS you giving here a good example of people who doesn't give a shit about safty, you did your thing and i proud of you its his problem
no announcement could mean some servers don't notice the bot handing out the wrong roles for a little while
6 seconds into the video and I have to pause to replay it, I was not prepared for this start.
don't worry, if he was that careless and clueless about security on that matter, he probably has a lot of other holes to patch
this seems very legal and not abusive at all, ur a pro white hat hacker man fr !!!!!!!
Make a video now explaining why the public dislikes the updated mobile interface.
This is why I don't trust security bots.
The only solution in my opinion, is making a private owner panel and move the api /guilded there. The owner panel and it's api endpoint will be connected to the database locally and they could add a login check with the owner's discord account. Trust me, I've done this for a website I own and it's a very good security. Like, who'll try to come at your house, try to guess your pc's password/pin or whatever you have, find the hidden owner panel and try to get in with your discord account?
? just store verification check code in back-end (server-side)
I think you meant "/debug", not "/guilded", but a simple auth flow ought to be enough (what we saw in the video was Dark putting it "where nobody will go looking for it", a "very good" "alternative"!!! 😂).
Welp time to raid some Discord servers. 💀
5:18 YOU HELPED ME FROM THAT UTTER GARBAGE HACK!! TYSM
he said “among us sussy baka” at 0:05
0:04 the reversed voice says, "Among us sussy ball-"
A hacking tutorial 💀
Fr 💀
Not really since the video was uploaded after it was patched
@@_DarkPlays YEAH!!!!!!
Crazy
No cuz people have fixed API endpoints this guy just didn’t think that anyone would try this or know how but it’s fixed now
this video was packed with information, yet so easy to follow!
crazy how this guy doesn't even protect his api endpoints
I did this on my friends 4 months ago a month before u uploaded this, And they laughed so hard they told everyone. thats how this vid was made.
Bro went from making videos about discord news to becoming a hacker, well I wasn’t expecting that
I wonder if most bots have this exact issue with a similar result after making it think you're the owner and some devs are just too lazy to patch it if they hear about it.
Waiting for NTTS's video on the new discord update with the interface
Seeing this makes me glad that I went through the trouble of attaching this one bots permissions to each relevant Channel instead of giving it the blanket permission.
The amount of trolling that will be done is devastating
The exploit is fixed. The trolling can only happen if something like this is leaked again.
@@thewitchidolsachika6682 rules of the universe: 1. Trolling will happen 2. If the trolling is stopped, it can happen again
@@thewitchidolsachika6682 in discord the only updates shown in the video is they moved around the roles, theoretically if someones already in they could change it back. Unless NTTS didn't show what was further changed.
6:30 bro was about to go on his villian arc 💀💀💀
I…might have to see if I can hire Eva to do a vulnerability check on a project at some point…
she is a developer for a server im an admin on
This man is an inspect element wizard, and my role model for inspect element.
Disgusting behavior. A ‘thank you’ from his response would’ve really shown that he at least cared a bit. Sometimes it just doesn’t pay to have morals. I would have made an airdrop in an NFT server then have drained their wallets.
I love this guy teaches about cybersecurity whilst entertaining w
This also brings to to the question how many other captcha bots are affected by this same exploit.
it's something very well-known, i think this bot's dev is just dumb
I'm sure you can find another one in the channel... 😂
The reversed speech at 0:05 is "Among us sussy balls".
To anyone wondering, similar bots exist on whatsapp too. Those bots have a lot more serious vulnerabilities tho (i.e RCE on host machine).
I use WhatsApp, and I think it doesn't have bots unless you are a business and verify it
@@_tr11 unofficial libraries exists.
Bruh, you can definitely protect Vue routes in other ways! And also there should always be an API level securities e.g. protected endpoints based on roles, not by user ID even! Anyways, we need more ethical volunteers to check for stupid vulnerabilities like this... All developers are human beings, they can definitely make mistakes, it's not a thing to feel shy about. Therefore, let's put our hands together to fight the criminals who actually takes advantage of these mistakes... Thanks to NTTS for this awareness video!
I wouldnt do it by role ids since someone could exploid the support server and give itself the roles or any other way I would always do it by user ids
@@sattlerdevelopment Yes, truly it can be a secure option if you can sanitize website's input cases. Even with user ID, you can add better defences for this kind of XSS attacks. You can add some sort of Server authentications and stuffs (as I noticed the website only authorised the "hacker" by what it sees from the browser's perspective, meaning it's an exploit that can completely be done from the frontend). You can also add Public IP address checking (i think) to notify the developer that an unknown device is trying to connect to the admin portal...or smth like that idk. Either way, there are a lots of measures you can take. (Thanks for the callback, I just didn't think of that exploit.)
Why? They ghost you, so why?
"But when i told the owner he said obby sussy mama"
just imagine this man going to his villain arc, it won't be pretty...
1:51 VOOO 😂😂 its pronounced "view"
NTTS could at any moment become discords biggest and most notorious hacker yet he chooses to be a white hat hacker.
I tip my hat to you
Why does everyone do authentication _client side?!_ Like, seriously, that's the oldest mistake in the book!
love your vids man
As a Developer, hacker, consultant.
You would be suprised at how many of these APIs are vulnrable to this exact issue. To many developers think that frontend verification is secure. Completely ignoring anyone could send requests directly to the API.
And tbh, 99% of these issues come from Javascript developers. They have no idea about secure backend programming.
Discord had the exact same vulnrability in their APIs, last year people discovered a new API for model popups, it was completely undocumented and wasnt supposed to be public, but even discord doesnt put propper authentication on their APIs.
It's certainly a js issue. Tons of js frameworks bake back end into the front end like react and nextjs. There's a level of abstraction that non system engineers can't really understand because they think they're writing back end code but it's actually running on the client. It's like giving them a notepad with all your passwords to everyone who visits your website.
8:41 “Pookiemane please return my calls” made me rolling on the floor😂
1:52 OMFG He pronounced "Vue" incorrectly, as a web developer I'M OFFENDED 😭😭
View
V-u-e
In my experience, frontend developers don't seem to understand security. I once saw a frontend developer generate jwt tokens on the frontend, which means the secret had to be in the frontend, which means the secret isn't a secret anymore, which means no security. Might as well just create a big button labeled "hack me"
NTTS, idk if you still read comments, but are you aware how discord is forcing mobile users to use new ui
To explain, now if you change the ui, you CANNOT change back to old ui (im forever stuck in new ui purgatory. Send Help)
the funny thing is the ad before this video (for me) was the advertise for a discord nuking bot lol
And here we, yet again, enter the topic of RUclips literally letting anything that smells like money slide...
How to get those dev tools? (0:46)
It's actually ALT+F4
Delete system32
y'all are foul 😭😭😭🙏🙏🙏
F12
I think it’s like visual studio code or smth
Man, you are a real hero! This made me so proud and insipred. Well done bro.
This escalated quickly.
I reversed the reversed audio, and it said: "Among Us Sussy"
7:28 whats that nameee
yup. this is why I always set up bots below mods/andmins and above janitors. bots can only be trusted to delete messages and give roles that have no real perms under them.
It's pronounced as VIEW NOT VUUUU I'M DYING
"but when i told the owner he said"
"ab yssus sugoma"
0:24 where is contain part Between secure and protect?💀
Scp
This is like multiple cardinal sins:
1: pushing debug tools to production
2: CLIENT SIDE VERIFICATION (????)
3: UNPROTECTED ENDPOINT (????????????)
Jesus... are these bots written by 12 year olds? Have they heard of doing authentication on the backend?
LOL if you ask them to build a fort, they are gonna tell you that their guard's way of protecting entry is asking for a name and that's it... 😂
from what i've seen (at least on this channel I don't really use bots in my servers at all, and the bots I do use are like, music bots which only need like 1 permission). Most bot developers don't have experience with an internet facing service. If the debug endpoint is there just for debugging other servers just incase there's an issue, why not just have it to where it can accept any ID and auth token, but on the backend it checks if it's the correct user. The code is right there in the page source, it just checks if the userID is the ID if the owner of capture bot, and just doesn't show it if it's not...the actual call doing the debug mode just does it, no other prior checks beside if the guildID is a valid id.
What should've been done is, A. don't hardcode the user ID into the check for the User ID someone could just spoof it by just copying it right there B. do other verification on the actual backend.
it could be a whole thing where first it sends the request like it does in the video, but when it gets to the backend it'll check multiple things, the user ID that sent the data, what permissions it has etc etc. verification shouldn't be done on the front end.
7:45 pause.... what the actual fuck?
The "I'm projecting" at the end killed me 😂
Hi (make this famous) Edit : OMG THANKS GUYS THIS IS THE MOST LIKES I EVER HAVE
i will try
Please shut up
bro it got 10 likes💀
Prepare thyself
Alright, Batman. Finding HUGE security issues and *not* doing any harm has to take some restraint.
I can't believe the owner said the N word
Fr
Normal on Discord
bruh stop spoiling >:(
i just want you to know that if I was in your position, I would be an absolute menace but I appreciate your ethics even if they don't reflect my personal views
Waiting for the new video about the discord mobile update 😁
Bro has the power in his own hand and shared it