I Hacked a Discord Bot, the Owner said this...

Поделиться
HTML-код
  • Опубликовано: 10 дек 2024

Комментарии • 1,4 тыс.

  • @NoTextToSpeech
    @NoTextToSpeech  Год назад +3543

    1. Do not harass the bot developer. Yes, he didn't say thank you, but he did fix the issue quickly. Harassing someone because of poor manners aint the move.
    2. The vulnerability is patched, please stop asking me how to hack into captcha.bot. I will never make a video on a live vulnerability because some of you are rascals.
    and finally, I was told that people are asking other bot devs if their bot is safe and linking this video. That is perfect, that's the goal of these videos. Whether it's a one man team or a big company, people will exploit discord bots and use it to ruin people's communities or scam a bunch of people. And everyone getting a little scared of eva, and double checking the security of their bots, is going to make the community a better place. (Even if it means I have to burn my bridges with bot devs that disagree).

    • @NeedForSpeedRTX
      @NeedForSpeedRTX Год назад +4

      Oh

    • @RoyaleWind
      @RoyaleWind Год назад +38

      i hope he learned now atleast to not hardcode his id and to write a good api (there a propably still allot of vulnerabilities)

    • @iwasneverjoebiden
      @iwasneverjoebiden Год назад +6

      that's reasonable

    • @7heMech
      @7heMech Год назад +3

      Well, the video could still be a clue to another exploit, if such a dumb loophole existed, there are likely many more.

    • @bnanik
      @bnanik Год назад

      yes

  • @T_nology
    @T_nology Год назад +3215

    How are these bots so hilariously insecure? The fact everything could not only be done so easily but also all within the browser's DEVELOPER TOOLS is a huge problem.

    • @IanGaming101HD
      @IanGaming101HD Год назад +86

      @@VaultCord its the person who created the bot's fault, the website made for his bot has lots of vulnerabilties.

    • @bablela26
      @bablela26 Год назад

      I finally understood why dumbasses politicians wanted at one point to block the inspect page... Wait, no they just are incredibly dumb and if they catch a glimpse of dev tools they will completely loose their mind lmao

    • @nocturnaldev8607
      @nocturnaldev8607 Год назад +34

      ​@@VaultCordthey do, if only you cared to read the terms of service instead of blaming them for every goddamn thing

    • @Minecon724
      @Minecon724 Год назад +3

      well you don't need any proven skills or any signed legal things to create a bot

    • @wiirlak8681
      @wiirlak8681 Год назад +5

      @@VaultCordIt's the law to disclose data breah, bots' owner not following it (or the ToS) is not Discord fault - but Discord is at fault for not going after them after that through.

  • @QSABDO
    @QSABDO Год назад +5053

    this guy needs a lesson on how to properly protect his API endpoints... hilarious

    • @Neninho_
      @Neninho_ Год назад +211

      What do you mean? Checking the locally cached ID in the frontend with no proper backend verification is totally enough. /s

    • @masterman1502
      @masterman1502 Год назад +29

      Their sourcemaps are still public, btw (the "Webpack" folder). Either theirs, or their payment/subscription processor

    • @giorgiotr
      @giorgiotr Год назад

      dark is an idiot

    • @TheRealKiRBEY
      @TheRealKiRBEY Год назад +15

      As a non coder whats an API?😊

    • @itznerdyfox7479
      @itznerdyfox7479 Год назад

      ​@@TheRealKiRBEYme work wit someone else's application via my own code

  • @kuuravr
    @kuuravr Год назад +690

    All those recent exploits discovered in bots is why I keep stressing to people to properly setup their servers and not blindly give bots permissions they don't need.
    Thank you for bringing light to these exploits, hopefully this pushes people to stop blindly trusting bots and for devs to be more careful with security

    • @GoldbergToastyBred
      @GoldbergToastyBred Год назад +8

      ye like who puts checks, security, etc in front-end?

    • @Liggliluff
      @Liggliluff Год назад +6

      I had a server where bots have different functions, but these bots only had access to the channels they should have access to. For example, no access to #general or #moderation.

    • @kuuravr
      @kuuravr Год назад +4

      ​​@@LiggliluffThat's pretty much how I do it, if it doesn't need to view a specific channel then it's restricted from it, if it only needs to read and not talk it won't have send message permission except for logs channels, etc

    • @ItzPubby
      @ItzPubby Год назад +1

      #1 advice i can give. Don't use bots. Bots are fully automated without human input when it comes to authentication. The best security you can do, is have active HUMAN staff members in your servers. I get the appeal for bots, but if you bringing them in from a third party, you are literally relinquishing control to someone you dont know if you can trust or not. Weither if the properly took the percautions. So, set up your discord and manage it yourself.

    • @kuuravr
      @kuuravr Год назад +5

      ​@@ItzPubby I wouldn't say that's a good advice, bots are helpful when used right especially when you have a large server or want to setup something specific, the issue is people are too lazy to set up bot properly and just gives it admin so it does its job, they don't organize their server roles properly, they don't disable bot features they don't need and don't restrict the bot accesses to what it doesn't need, they don't know how to look for the signs that a bot isn't made properly (such as its invite auth link requesting admin perms in any capacity).
      Sure if you're running a small server you probably don't need a bot, but they're a good tool and people needs to know better when using said tool.

  • @AquaQuokka
    @AquaQuokka Год назад +1543

    Having this little protection is shameful. There is a complete lack of basic security measures...

    • @toydotgame
      @toydotgame Год назад +36

      im literally not a web dev and seeing that js auth code immediately set off alarms

    • @kibbewater
      @kibbewater Год назад +7

      ​@@toydotgame so if you are not a web dev, don't comment on the matter, authorization headers are completely fine and pretty standard for many applications

    • @Omega-mr1jg
      @Omega-mr1jg Год назад +28

      ​@@kibbewaterwhat. for an app like this? Okay

    • @bennybouken
      @bennybouken Год назад +10

      ​@@kibbewater💀

    • @kibbewater
      @kibbewater Год назад +15

      @@Omega-mr1jg The Auth headers were not the problem, lack of handling them correctly was.

  • @4lokas
    @4lokas Год назад +948

    As a Cybersecurity Student, that was the shitiest security that I have ever seen in my whole life 💀

    • @turtleparty7241
      @turtleparty7241 Год назад +28

      that means you haven't been in cybersecurity for very long (no offense)

    • @distorted_heavy
      @distorted_heavy Год назад +195

      @@turtleparty7241 bro doesn't know how school works

    • @4lokas
      @4lokas Год назад

      @@turtleparty7241 A year and learning (yes, its not too long imo, doing hackthebox machines rn)

    • @drm.himself
      @drm.himself 11 месяцев назад

      ​@@turtleparty7241 He said he was a student 🤨

    • @Goovdluck687
      @Goovdluck687 10 месяцев назад

      ​@@turtleparty7241 so someone can easily hack into a bot by using F1 and it's not the shitiest security?

  • @sluuuudge
    @sluuuudge Год назад +207

    As someone who has dabbled with a bit of bot development here and there on Discord, I have seen so many examples of other developers who think they're too good and too big to acknowledge other people around them - especially when it's criticism or feedback. Not surprised at all that Dark ignored your DM and I can guarantee that had you sent it from your NTTS account he 100% only then would've bothered replying.

  • @lebleathan
    @lebleathan Год назад +1244

    As a full-stack developer I can confirm that this is so amateur and unprofessional, no-one should trust a single product from this developer EVER. Remove captcha bot from your servers rn.

    • @GoldbergToastyBred
      @GoldbergToastyBred Год назад +14

      hecker

    • @Dultus
      @Dultus Год назад +71

      That's what happens when you just throw everything to the front end. x)

    • @Lampe2020
      @Lampe2020 Год назад +36

      Verification etc. should be done on the backend and be a little more secure than just sending _any_ auth header. It should verify the auth header that it's actually the owner and probably a lot more.
      I even have such a login on my website, but you need the right password and username to get logged in and _then_ it just sees "Logged in? Okay, here's your perms!", because I am the only user account there. And eventually I'll replace that with a third-party OAuth login instead of an own one.

    • @tabletopjam4894
      @tabletopjam4894 Год назад +9

      this is what happens when someone spends too much time in js land lol

    • @WindowsDaily
      @WindowsDaily Год назад +3

      I can't even tell how it'd make it any easier. They clearly know the account to give the server to, so all they have to do is put the if (user is not me) check in there. Sure it can be put in the client side too, but just one line in the server side would have been enough to stop it.

  • @7heMech
    @7heMech Год назад +635

    Absolutely disgusting move by the bot owner.

    • @zikohaha7440
      @zikohaha7440 Год назад +11

      Shut UP !!!!!!!! 😍😍😍😍🥰🤩🤩🤩

    • @Craosien
      @Craosien Год назад

      ​@@zikohaha7440npc

    • @BroggoYT
      @BroggoYT Год назад

      @@zikohaha7440 you shut up

    • @redixroblox.
      @redixroblox. Год назад +79

      @@zikohaha7440 no

    • @hmhm-g6f
      @hmhm-g6f Год назад +1

      Thats messed up

  • @RealTheonFrFr
    @RealTheonFrFr Год назад +222

    "am be so so wuh a bo" such wise words from the owner...

    • @Mightype
      @Mightype Год назад +11

      It’s something about the word sussy Baka but in reverse

    • @mohabtameregyptgamer8902
      @mohabtameregyptgamer8902 Год назад +7

      I reversed it and it said amongus sussy baka not kidding reverse the video and you can hear it too

    • @Squid_wuz_here
      @Squid_wuz_here Год назад +5

      @@Mightypehe said “among us Sussy balls” Lmaooooo 💀💀💀

    • @BlueYT592
      @BlueYT592 Год назад

      Whice goat will be the next to be my subcriber🤔

    • @shrimpaerospace
      @shrimpaerospace 10 месяцев назад

      @@BlueYT592 Well i'm not a goat. Maybe the next guy

  • @rryangosling
    @rryangosling Год назад +279

    xyzeva causally finding vulnerability in security bots 💀

    • @chevvvv
      @chevvvv Год назад +15

      sometimes I want people like that to point what's wrong with my stuff out, just to make them a little bit better

    • @fuyuv_
      @fuyuv_ Год назад

      @@chevvvv thats what beta releases, etc. are for

    • @Buttersaemmel
      @Buttersaemmel Год назад

      @@chevvvv and then there are those companies that sue you for letting them know, even if you just accidentially stumbled upon it...

    • @unearthlynarratives_
      @unearthlynarratives_ Год назад +8

      It's a very amateur mistake so I wouldn't credit too much here, this should have never worked had this been done by someone with more than 1 year of experience.

    • @schrenjaminsstift92
      @schrenjaminsstift92 Год назад

      ​@@unearthlynarratives_even somelne with 1 month of wxperience shoudn't make this mistake. As soon as you know that anyone can send stuff to your server, you should see how this is shitty security

  • @Gandalf_Potter00
    @Gandalf_Potter00 Год назад +232

    I'm not surprised that Dark was unresponsive after you basically saved his bot from destruction and chaos. Every interaction I've had with him (through the Arcane server), he has been cold and narcissistic. I don't know if that's how he actually is IRL, or if he gets a lot of messages per day and can't keep up with them, but he does not seem like a very good person in my opinion. I am glad that he fixed this huge vulnerability, and I can pretty much guarantee that any mention of this in any of the servers he owns will be met with a timeout or something of that sort. I mentioned the word "bot" in the Arcane server and got muted for 5 minutes for "advertising" as he told me.

    • @verytuffcat
      @verytuffcat Год назад +21

      almost every large bot dev is narcissistic tbh

    • @Gandalf_Potter00
      @Gandalf_Potter00 Год назад +32

      @@verytuffcat Dark is the only bot developer I have ever directly interacted with, so I can't speak much on that, but I wouldn't be surprised if the reason they seem cold is because they just get an onslaught of friend requests and DM requests. I would imagine it would be stressful to have to deal with all of that. I'm not excusing Dark's actions as he could have at least said thank you, but there might be multiple reasons why he didn't respond other than he's a duchebag. I still think he could be nicer though.

    • @radiatedcherry
      @radiatedcherry Год назад

      its very easy to turn off those friend request and dms stuff its just their incompetance@@Gandalf_Potter00

    • @GlacialBolt
      @GlacialBolt Год назад

      ⁠@@Gandalf_Potter00influencers and developers get insane dms and friend requests all the time lol, but not all of them are narcissistic. these type of people are just inherently like that, and the fame is just feeding it

    • @verytuffcat
      @verytuffcat 11 месяцев назад +3

      @@Gandalf_Potter00 yeah

  • @thedonutone
    @thedonutone Год назад +28

    Some servers really are set up horribly, one time, I saw a server where for some reason the owner role, with all perms, was under the member role, which everyone has, and also has perms to manage roles, so if literally anyone looked at the roles, which the member role also has perms for, they could've easily just given themselves owner and destroyed the entire server before the real owner got on.

  • @PandaMasik
    @PandaMasik Год назад +156

    We would be doomed if NTTS started his villain arc.

    • @YeetDisDude
      @YeetDisDude Год назад

      too bad he cant cause all he knows is how to get spoonfed by women

    • @norwegiansmores811
      @norwegiansmores811 Год назад +20

      yes. and it does not help that he gets treated like shit (ignored) when helping people.

    • @Black_kot_original
      @Black_kot_original 10 месяцев назад +2

      he's gonna start it someday, if he gonna keep being treated like shit

    • @ZillMohammed-y1d
      @ZillMohammed-y1d 6 месяцев назад +9

      Xyzeva is gonna be his side kick for sure

    • @K0ra_st4r
      @K0ra_st4r 6 месяцев назад +1

      he would be the one who ruins every discord sever ever

  • @ectothermic
    @ectothermic Год назад +64

    I don't think I could've resisted the intrusive thoughts tbh. Good on you, dude lol.

    • @identifydelaymc3873
      @identifydelaymc3873 Год назад +2

      xyzeva is a developer on a server Im an admin on lmao

    • @liquidmagma0
      @liquidmagma0 Год назад +3

      i mean you could have harmless fun, right? don't have to go destructive.

    • @erikkonstas
      @erikkonstas Год назад +6

      It's people like you who are the reason why problems are only made public after they're fixed...

    • @ectothermic
      @ectothermic Год назад +14

      @@erikkonstas it's a joke not a dick, don't take it so hard.

    • @erikkonstas
      @erikkonstas Год назад +1

      @@ectothermic Literally nobody thinks you're joking tho.

  • @thehansboi
    @thehansboi Год назад +85

    these recent vulnerability videos have really given me insight on how even the biggest bots can be taken advantage of

    • @erikkonstas
      @erikkonstas Год назад

      LOL forget about bots, or even Discord, try to search how many vulnerabilities people have discovered in the major cloud computing providers (AWS, Azure, etc.).

    • @ItzPubby
      @ItzPubby Год назад +1

      Take active steps to protect yourself, you cant let other people do it for you. If you want the server safe and to have these types of security you need to go through and do it properly. the best thing you can do, is be as secure as you can from your end.

    • @erikkonstas
      @erikkonstas Год назад

      @@ItzPubby Do you know what you're saying... thing is, bots like Captcha bot have already constructed databases which can help find alts; this is not something you can just "acquire".

    • @verytuffcat
      @verytuffcat Год назад

      ​@@erikkonstasi honestly wonder how it works tho. can you explain

    • @erikkonstas
      @erikkonstas Год назад

      @@verytuffcat So basically the thing stores a number of IP addresses and other characteristics pertaining to a number of "devices" for every Discord account that goes through it, so if another account shares anything in common it is considered to be a possible alt. Yes, it can have false negatives (e.g. the person changes their public IP address) and false positives (e.g. the person is on a public Wi-Fi).

  • @Gotham-guardian-pls7t
    @Gotham-guardian-pls7t Год назад +232

    This is the reason I like to troll the help pages on Dark's Discord server. It makes him waste his time on stupid things that takes his precious time off. I feel no remorse for Dark whatsoever

    • @epicstar86
      @epicstar86 Год назад +20

      Big W

    • @billyhatcher643
      @billyhatcher643 Год назад

      Glad I never heard of this dumbass bot

    • @_tr11
      @_tr11 Год назад +2

      lol

    • @Saymon-t2q
      @Saymon-t2q Год назад

      Did he just hack it for fun?

    • @KaiDevvy
      @KaiDevvy Год назад +6

      Am I misunderstanding? All the dude did was not reply to him. Why harass him?

  • @lollolcheese123
    @lollolcheese123 Год назад +30

    You can always go the middle route: Sell the vulnerabilty but also tell the owner about it

    • @seawinn
      @seawinn Год назад

      that's big brain time

    • @tyx168
      @tyx168 Год назад +6

      i wouldnt even bother telling him about this, i would just look how his bot gets destroyed. he's such a looser for not even answering

    • @wanderingpalace
      @wanderingpalace Год назад +2

      just sell the vulnerability to him for 1000 dollars

    • @Yezpahr
      @Yezpahr 4 месяца назад

      Selling it to an interested party and having the vulnerability be patched before they use it will raise eyebrows and may be answered with lead or certain types of salts. You'll also never sell something like that again because your name becomes dirt, for both parties.
      It's a sure way to shoot your own foot off and risk losing family/job or life insurance.

    • @lollolcheese123
      @lollolcheese123 4 месяца назад +1

      @@Yezpahr Can't be attacked if nobody knows who you are ¯\_(ツ)_/¯

  • @ashmaniacal
    @ashmaniacal Год назад +124

    Once again, thank you for keeping us safe on Discord, NTTS!
    Shame Discord don't have an employee to do this.

    • @HeadlessStar
      @HeadlessStar Год назад +4

      npc

    • @ashmaniacal
      @ashmaniacal Год назад +6

      You're an Npc @@HeadlessStar 😂😝

    • @SilenceBot
      @SilenceBot Год назад +8

      ​@@HeadlessStaryou have become the very thing you have set out to destroy!!

    • @HeadlessStar
      @HeadlessStar Год назад

      npc activity@@SilenceBot

    • @ZickZenniYT
      @ZickZenniYT Год назад

      @@HeadlessStar *bot activity

  • @ur1zenAE
    @ur1zenAE Год назад +16

    NTTS Started his own villain arc confirmed 100%

  • @RavDeBest
    @RavDeBest Год назад +37

    That is the most pathetic thing I ever seen, like imagine ghosting the guy that help you find a security problem in your code, like imagine this happened again. I'm sure NTTS knows this abt stuff or he knows someone knows this stuff, imagine being so egoistical and risking ur career

    • @sal_strazzullo
      @sal_strazzullo 10 месяцев назад +1

      Can't say for sure he ghosted him, he only gave him one day to reply. When my dms are full it takes me two weeks to read and reply to them on average

  • @Sunnyon163
    @Sunnyon163 Год назад +8

    okay so heres the thing, firstly a super big thank you for makeing those videos secondly i get that the dev might have had a bigger thing to work on than responding to you when they first saw it and im happy they did fix it so fast but a "hey we fixed it thanks for saveing our butt here" wouldve been nice

  • @Pokamechibre
    @Pokamechibre Год назад +158

    To be ethical or not to be. As soon as you have a good intention, you literally get shit on by life. Honestly, you shouldn't have given away the exploit without getting a response from him, or a bug-finding contract. This kind of vulnerability should have been rewarded. If I made a bot and such a vulnerability was discovered, not only would I thank the user who found it and didn't abuse it, but I'd also try to pay for it or give away premium benefits.
    What a rat.
    Translated because i'm not ca or us, just a baguette.

    • @nwerd7584
      @nwerd7584 Год назад +13

      I think NTTS makes a good amount of video legally through YT. Probably why he leaves this stuff for other people to make the choice. But not responding doesn't sound like they tend to pay bug bounties. a good team would have probably offered it.

    • @Buttersaemmel
      @Buttersaemmel Год назад +15

      even ignoring ethics this is just stupid.
      if you know you get paid out and don't need to fear legal actions if you point out vulnerabilities, you'll probably do it.
      but if you know you will just be ignored but could instead exploit it to make some money, a lot of people wont care about ethics and decide to exploit.
      it's just proof for anybody that you'll gain much more from exploiting his products.
      that's just stupid and for all of his customers you can just hope that no bad actor is going to find something.

    • @microondasradioativo
      @microondasradioativo Год назад +1

      P sure the owner doesn't care to fix it and knowingly just lets that be possible

    • @parapetcloud
      @parapetcloud Год назад +7

      ​@@microondasradioativoit's best not to attribute to malice, that which can reasonably be attributed to being a complete dumbass.

    • @microondasradioativo
      @microondasradioativo Год назад

      @@parapetcloud if he's a dumbass then he'll learn the hard way

  • @Ri-Rye
    @Ri-Rye Год назад +126

    im starting to think eva is an AI, they have found ways to do this with so many bots lmao

    • @cylan6914
      @cylan6914 Год назад +1

      Obviously she is, girls are not real

    • @skylarkblue1
      @skylarkblue1 Год назад +32

      AI's pretty awful at cyber security. No, this is just a decent amount of time having fun pentesting lol

    • @kacperkonieczny7333
      @kacperkonieczny7333 Год назад +1

      NULL

    • @user-to7ds6sc3p
      @user-to7ds6sc3p Год назад +20

      She does hobby pentesting according to her homepage. And her git shows activity in regards to malware/pentesting and most importantly silly block game.

    • @_tr11
      @_tr11 Год назад

      @@kacperkonieczny7333 undefined

  • @DarkSansTV
    @DarkSansTV Год назад +4

    this is epic, guilded is finally getting the attention is really needs, this is poggers

  • @rocco.uploads
    @rocco.uploads 26 дней назад

    Incredibly informative. As an indie dev who's also a cyber security freak and borderline paranoid this was such an interesting video, I always knew role order was important but I didn't also necessarily know it could act like an escalation hierarchy... I LITERALLY paused at 6:41 JUST to go update my server's roll order 🤣🤣
    Thanks as always NTTS, keep up the great pen testing and the great work 🔥💥💥

  • @WannabeFemboyYT
    @WannabeFemboyYT 8 месяцев назад +3

    I just finished watching this video, and decided to check a few of the bots I have used on servers I own/co-own, including paid, free, and trial bots. It takes a bit longer than this, but some very popular bots(not gonna name them) have some major issues very similar to this one. I tested a method on a server I am friends with the owner on and managed to(after creating a backup server so people wouldn't lose everything) completely wipe the server in the span of 8 minutes. People really need to hire some kind of white-hat to double check that things aren't as hilariously undefended as this was.

  • @Zandersoneditz
    @Zandersoneditz Год назад +10

    0:04 says
    "Among us sussy ba-"

  • @genericname3685
    @genericname3685 Год назад +27

    This shows us very well how life slaps you across the face for just being nice and the least they could've done is a thank you, but apparently thats too much for some people.

  • @Pachi_Fuda
    @Pachi_Fuda Год назад +13

    Eva and no text to speech are really helping people on this. the hero's we need.

  • @RetoonHD
    @RetoonHD Год назад +9

    At this point, bad security by discord bot devs doesn't surprise me anymore. The bar to making a bot is so goddamn low that incompetent people make bots that get too popular for their own good.

  • @leikoo.
    @leikoo. Месяц назад

    Good for you for making this issue recognized instead of doing evil with it! :D

  • @7heMech
    @7heMech Год назад +30

    This escalated so quickly.

  • @Eflaene
    @Eflaene Год назад +3

    So now NTTS teamed up with hacker-cat-girl pfp and we're getting more videos like this ? love it

  • @justamanofculture12
    @justamanofculture12 4 месяца назад +2

    My years of development experience in Web Applications taught me how terrible web app security system design are. So many developers just focus on finishing the app instead of protecting it from vulnerabilities and implementing some good tier security precautions. There's a world after sign-in page but sadly most developers dont care about that 😢............

  • @Baburun-Sama
    @Baburun-Sama 11 месяцев назад +1

    Security Problems in Discord Bots? You're... the One Legend.

  • @TezlaGrey
    @TezlaGrey Год назад +12

    Can you cover the new mobile layout and how to revert to the old layout? It's absolute ass and makes me happy to be legally blind

    • @TorutheRedFox
      @TorutheRedFox Год назад +1

      trick is to downgrade to earlier version, disable it there, update back and never update again without confirmation that it still exists

    • @chaos9790
      @chaos9790 11 месяцев назад

      done

    • @sal_strazzullo
      @sal_strazzullo 10 месяцев назад

      I like the switching between severs and dms, but I absolutely hate the new search and how I can't just type from:someone without it trying to do some Google type of stuff

  • @JiříDanielŠuster
    @JiříDanielŠuster 11 месяцев назад +1

    I LOVE THIS. I can spend hours finding vulnerabilities or bypasses like this :). I wish I could do this as a full time job

  • @blacklight683
    @blacklight683 5 месяцев назад +7

    "Wait a sec you're not the owner.."
    "Yes i am"
    "Come in!"

  • @seriouslygoodguy
    @seriouslygoodguy Год назад +5

    NTTS you giving here a good example of people who doesn't give a shit about safty, you did your thing and i proud of you its his problem

  • @nanopi
    @nanopi Год назад +5

    no announcement could mean some servers don't notice the bot handing out the wrong roles for a little while

  • @mauron55
    @mauron55 Год назад +2

    6 seconds into the video and I have to pause to replay it, I was not prepared for this start.

  • @kipchickensout
    @kipchickensout Год назад +24

    don't worry, if he was that careless and clueless about security on that matter, he probably has a lot of other holes to patch

  • @BubblesWaffle
    @BubblesWaffle Год назад +2

    this seems very legal and not abusive at all, ur a pro white hat hacker man fr !!!!!!!

    • @bilinasmini3480
      @bilinasmini3480 Год назад +1

      Make a video now explaining why the public dislikes the updated mobile interface.

  • @joshinglyyy
    @joshinglyyy Год назад +6

    This is why I don't trust security bots.

  • @Funtime3Freddy3
    @Funtime3Freddy3 Год назад +1

    The only solution in my opinion, is making a private owner panel and move the api /guilded there. The owner panel and it's api endpoint will be connected to the database locally and they could add a login check with the owner's discord account. Trust me, I've done this for a website I own and it's a very good security. Like, who'll try to come at your house, try to guess your pc's password/pin or whatever you have, find the hidden owner panel and try to get in with your discord account?

    • @GoldbergToastyBred
      @GoldbergToastyBred Год назад +1

      ? just store verification check code in back-end (server-side)

    • @erikkonstas
      @erikkonstas Год назад

      I think you meant "/debug", not "/guilded", but a simple auth flow ought to be enough (what we saw in the video was Dark putting it "where nobody will go looking for it", a "very good" "alternative"!!! 😂).

  • @F.B.I_A.F.M
    @F.B.I_A.F.M 10 месяцев назад +6

    Welp time to raid some Discord servers. 💀

  • @MDW-wu6ey
    @MDW-wu6ey 4 месяца назад +1

    5:18 YOU HELPED ME FROM THAT UTTER GARBAGE HACK!! TYSM

  • @ProshipAshton
    @ProshipAshton Год назад +4

    he said “among us sussy baka” at 0:05

  • @angelaodonnell8407
    @angelaodonnell8407 Год назад +2

    0:04 the reversed voice says, "Among us sussy ball-"

  • @jacetang9552
    @jacetang9552 7 месяцев назад +148

    A hacking tutorial 💀

    • @UrMom8MyAss
      @UrMom8MyAss 6 месяцев назад +1

      Fr 💀

    • @_DarkPlays
      @_DarkPlays 6 месяцев назад +13

      Not really since the video was uploaded after it was patched

    • @Nerd-_-emoji-t3w
      @Nerd-_-emoji-t3w 4 месяца назад +2

      @@_DarkPlays YEAH!!!!!!

    • @Samdude12
      @Samdude12 3 месяца назад +1

      Crazy

    • @Hnxzxvr
      @Hnxzxvr 2 месяца назад +3

      No cuz people have fixed API endpoints this guy just didn’t think that anyone would try this or know how but it’s fixed now

  • @PhoebeNureeka
    @PhoebeNureeka 4 месяца назад

    this video was packed with information, yet so easy to follow!

  • @stoteam8748
    @stoteam8748 Год назад +8

    crazy how this guy doesn't even protect his api endpoints

  • @PawsIsHere
    @PawsIsHere 8 месяцев назад +1

    I did this on my friends 4 months ago a month before u uploaded this, And they laughed so hard they told everyone. thats how this vid was made.

  • @rainbowspongebob
    @rainbowspongebob Год назад +3

    Bro went from making videos about discord news to becoming a hacker, well I wasn’t expecting that

  • @Doodle128
    @Doodle128 11 месяцев назад +2

    I wonder if most bots have this exact issue with a similar result after making it think you're the owner and some devs are just too lazy to patch it if they hear about it.

  • @theenigmascribe
    @theenigmascribe Год назад +3

    Waiting for NTTS's video on the new discord update with the interface

  • @lightrealmrapono
    @lightrealmrapono Год назад +1

    Seeing this makes me glad that I went through the trouble of attaching this one bots permissions to each relevant Channel instead of giving it the blanket permission.

  • @Pengal25
    @Pengal25 Год назад +8

    The amount of trolling that will be done is devastating

    • @thewitchidolsachika6682
      @thewitchidolsachika6682 Год назад +1

      The exploit is fixed. The trolling can only happen if something like this is leaked again.

    • @Pengal25
      @Pengal25 Год назад +12

      @@thewitchidolsachika6682 rules of the universe: 1. Trolling will happen 2. If the trolling is stopped, it can happen again

    • @nwerd7584
      @nwerd7584 Год назад

      @@thewitchidolsachika6682 in discord the only updates shown in the video is they moved around the roles, theoretically if someones already in they could change it back. Unless NTTS didn't show what was further changed.

  • @CookieKingHamber
    @CookieKingHamber 11 месяцев назад +2

    6:30 bro was about to go on his villian arc 💀💀💀

  • @Zencep
    @Zencep Год назад +4

    I…might have to see if I can hire Eva to do a vulnerability check on a project at some point…

  • @Untitled-w6t
    @Untitled-w6t 6 месяцев назад +1

    This man is an inspect element wizard, and my role model for inspect element.

  • @souls4781
    @souls4781 Год назад +6

    Disgusting behavior. A ‘thank you’ from his response would’ve really shown that he at least cared a bit. Sometimes it just doesn’t pay to have morals. I would have made an airdrop in an NFT server then have drained their wallets.

  • @Rychuxd
    @Rychuxd 5 месяцев назад

    I love this guy teaches about cybersecurity whilst entertaining w

  • @techwhipped
    @techwhipped Год назад +3

    This also brings to to the question how many other captcha bots are affected by this same exploit.

    • @_tr11
      @_tr11 Год назад

      it's something very well-known, i think this bot's dev is just dumb

    • @erikkonstas
      @erikkonstas Год назад +1

      I'm sure you can find another one in the channel... 😂

  • @GarbageManThe4th
    @GarbageManThe4th Год назад +1

    The reversed speech at 0:05 is "Among us sussy balls".

  • @SheIITear
    @SheIITear Год назад +3

    To anyone wondering, similar bots exist on whatsapp too. Those bots have a lot more serious vulnerabilities tho (i.e RCE on host machine).

    • @_tr11
      @_tr11 Год назад

      I use WhatsApp, and I think it doesn't have bots unless you are a business and verify it

    • @SheIITear
      @SheIITear Год назад

      @@_tr11 unofficial libraries exists.

  • @md.riyasathossain590
    @md.riyasathossain590 Год назад +1

    Bruh, you can definitely protect Vue routes in other ways! And also there should always be an API level securities e.g. protected endpoints based on roles, not by user ID even! Anyways, we need more ethical volunteers to check for stupid vulnerabilities like this... All developers are human beings, they can definitely make mistakes, it's not a thing to feel shy about. Therefore, let's put our hands together to fight the criminals who actually takes advantage of these mistakes... Thanks to NTTS for this awareness video!

    • @sattlerdevelopment
      @sattlerdevelopment Год назад +1

      I wouldnt do it by role ids since someone could exploid the support server and give itself the roles or any other way I would always do it by user ids

    • @md.riyasathossain590
      @md.riyasathossain590 11 месяцев назад

      @@sattlerdevelopment Yes, truly it can be a secure option if you can sanitize website's input cases. Even with user ID, you can add better defences for this kind of XSS attacks. You can add some sort of Server authentications and stuffs (as I noticed the website only authorised the "hacker" by what it sees from the browser's perspective, meaning it's an exploit that can completely be done from the frontend). You can also add Public IP address checking (i think) to notify the developer that an unknown device is trying to connect to the admin portal...or smth like that idk. Either way, there are a lots of measures you can take. (Thanks for the callback, I just didn't think of that exploit.)

    • @iamerror1699
      @iamerror1699 6 месяцев назад

      Why? They ghost you, so why?

  • @ErrorAnimator687
    @ErrorAnimator687 Год назад +3

    "But when i told the owner he said obby sussy mama"

  • @boxYT1
    @boxYT1 Год назад +1

    just imagine this man going to his villain arc, it won't be pretty...

  • @beastnighttv
    @beastnighttv Год назад +5

    1:51 VOOO 😂😂 its pronounced "view"

  • @SeifuTheSigma
    @SeifuTheSigma 6 месяцев назад +1

    NTTS could at any moment become discords biggest and most notorious hacker yet he chooses to be a white hat hacker.
    I tip my hat to you

  • @lightning_11
    @lightning_11 Год назад +3

    Why does everyone do authentication _client side?!_ Like, seriously, that's the oldest mistake in the book!

  • @yeetboyo7
    @yeetboyo7 8 месяцев назад +1

    love your vids man

  • @tagKnife
    @tagKnife Год назад +5

    As a Developer, hacker, consultant.
    You would be suprised at how many of these APIs are vulnrable to this exact issue. To many developers think that frontend verification is secure. Completely ignoring anyone could send requests directly to the API.
    And tbh, 99% of these issues come from Javascript developers. They have no idea about secure backend programming.
    Discord had the exact same vulnrability in their APIs, last year people discovered a new API for model popups, it was completely undocumented and wasnt supposed to be public, but even discord doesnt put propper authentication on their APIs.

    • @Sammysapphira
      @Sammysapphira Год назад

      It's certainly a js issue. Tons of js frameworks bake back end into the front end like react and nextjs. There's a level of abstraction that non system engineers can't really understand because they think they're writing back end code but it's actually running on the client. It's like giving them a notepad with all your passwords to everyone who visits your website.

  • @XnSizerYT
    @XnSizerYT 3 месяца назад

    8:41 “Pookiemane please return my calls” made me rolling on the floor😂

  • @codeguy11
    @codeguy11 Год назад +15

    1:52 OMFG He pronounced "Vue" incorrectly, as a web developer I'M OFFENDED 😭😭

  • @Johncw87
    @Johncw87 6 месяцев назад

    In my experience, frontend developers don't seem to understand security. I once saw a frontend developer generate jwt tokens on the frontend, which means the secret had to be in the frontend, which means the secret isn't a secret anymore, which means no security. Might as well just create a big button labeled "hack me"

  • @tamerjustine
    @tamerjustine Год назад +5

    NTTS, idk if you still read comments, but are you aware how discord is forcing mobile users to use new ui
    To explain, now if you change the ui, you CANNOT change back to old ui (im forever stuck in new ui purgatory. Send Help)

  • @xvirtualgamer8468
    @xvirtualgamer8468 Год назад +1

    the funny thing is the ad before this video (for me) was the advertise for a discord nuking bot lol

    • @erikkonstas
      @erikkonstas Год назад

      And here we, yet again, enter the topic of RUclips literally letting anything that smells like money slide...

  • @XII-air-IIX
    @XII-air-IIX 6 месяцев назад +7

    How to get those dev tools? (0:46)

  • @paintden
    @paintden Год назад

    Man, you are a real hero! This made me so proud and insipred. Well done bro.

  • @roxlife8173
    @roxlife8173 Год назад +3

    This escalated quickly.

  • @oglothenerd
    @oglothenerd Год назад +2

    I reversed the reversed audio, and it said: "Among Us Sussy"

  • @therealPurrrple_2omg
    @therealPurrrple_2omg 4 месяца назад +4

    7:28 whats that nameee

  • @lateworm
    @lateworm Год назад +2

    yup. this is why I always set up bots below mods/andmins and above janitors. bots can only be trusted to delete messages and give roles that have no real perms under them.

  • @17ashishemmanuel
    @17ashishemmanuel Год назад +6

    It's pronounced as VIEW NOT VUUUU I'M DYING

  • @ihavenoideawhatimdoing23
    @ihavenoideawhatimdoing23 4 месяца назад +1

    "but when i told the owner he said"
    "ab yssus sugoma"

  • @nikolettaheigl3771
    @nikolettaheigl3771 10 месяцев назад +4

    0:24 where is contain part Between secure and protect?💀

    • @rex6353
      @rex6353 2 месяца назад +1

      Scp

  • @metalspoon69
    @metalspoon69 Год назад

    This is like multiple cardinal sins:
    1: pushing debug tools to production
    2: CLIENT SIDE VERIFICATION (????)
    3: UNPROTECTED ENDPOINT (????????????)

  • @duke605
    @duke605 Год назад +2

    Jesus... are these bots written by 12 year olds? Have they heard of doing authentication on the backend?

    • @erikkonstas
      @erikkonstas Год назад +1

      LOL if you ask them to build a fort, they are gonna tell you that their guard's way of protecting entry is asking for a name and that's it... 😂

  • @AsrielDreemurrPlays
    @AsrielDreemurrPlays Год назад

    from what i've seen (at least on this channel I don't really use bots in my servers at all, and the bots I do use are like, music bots which only need like 1 permission). Most bot developers don't have experience with an internet facing service. If the debug endpoint is there just for debugging other servers just incase there's an issue, why not just have it to where it can accept any ID and auth token, but on the backend it checks if it's the correct user. The code is right there in the page source, it just checks if the userID is the ID if the owner of capture bot, and just doesn't show it if it's not...the actual call doing the debug mode just does it, no other prior checks beside if the guildID is a valid id.
    What should've been done is, A. don't hardcode the user ID into the check for the User ID someone could just spoof it by just copying it right there B. do other verification on the actual backend.
    it could be a whole thing where first it sends the request like it does in the video, but when it gets to the backend it'll check multiple things, the user ID that sent the data, what permissions it has etc etc. verification shouldn't be done on the front end.

  • @Im_SuperNova
    @Im_SuperNova Год назад +3

    7:45 pause.... what the actual fuck?

  • @halladba101
    @halladba101 7 месяцев назад

    The "I'm projecting" at the end killed me 😂

  • @gorilla8275
    @gorilla8275 8 месяцев назад +14

    Hi (make this famous) Edit : OMG THANKS GUYS THIS IS THE MOST LIKES I EVER HAVE

    • @-cottoncandy-
      @-cottoncandy- 7 месяцев назад +1

      i will try

    • @swiftkumar
      @swiftkumar 5 месяцев назад

      Please shut up

    • @samned.
      @samned. 5 месяцев назад

      bro it got 10 likes💀

    • @Jirahs57
      @Jirahs57 4 месяца назад

      Prepare thyself

  • @shockmazta3116
    @shockmazta3116 2 месяца назад

    Alright, Batman. Finding HUGE security issues and *not* doing any harm has to take some restraint.

  • @Jakkilip
    @Jakkilip Год назад +12

    I can't believe the owner said the N word

  • @antiwolfer8691
    @antiwolfer8691 7 месяцев назад +1

    i just want you to know that if I was in your position, I would be an absolute menace but I appreciate your ethics even if they don't reflect my personal views

  • @Teslazer
    @Teslazer Год назад +3

    Waiting for the new video about the discord mobile update 😁

  • @YourLocal_AverageViewer
    @YourLocal_AverageViewer 7 месяцев назад +1

    Bro has the power in his own hand and shared it