Ruining Discord Servers with a Bot Exploit!

preview_player
Показать описание
Imagine me joining your Discord server and using an exploit to give myself Admin. From there I can nuke your Discord server or give everyone staff or promote a scam. The evil is flowing through me.

Well, believe it or not, this is not a power tripping dream that I had. This is a reality. Because the popular Discord alt bot, Double Counter, might have made some seriously amateur mistakes regarding security of their bot and dashboard. The only good news of this is that it didn't fall into the wrong hands. (or maybe it did cause it fell into mine)

LINKS
-----------------------------------------------------------------------------
xyzeva's socials

SOCIALS
-----------------------------------------------------------------------------
Discord Server

Twitter

TIMESTAMPS
-----------------------------------------------------------------------------
00:00 - Double Counter
00:49 - Vulnerability 1: da password in da public code
02:21 - Vulnerability 2: Oppenheimer of Discord
07:31 - Bye Bye Privacy Lens
  1. No Text To Speech
  2. discord
  3. discord server
  4. no text to speech
  5. discord no text to speech
  6. no text to speech discord
Рекомендации по теме
Ruining Discord Servers 0:09:32

Ruining Discord Servers with a Bot Exploit!

So I trolled 0:11:20

So I trolled 300,000+ people in a Discord server... (Almost crashed)

going undercover in 0:00:45

going undercover in terrible discord servers

Trolling My Discord 0:11:53

Trolling My Discord Server by DEMOTING Mods (and more!)

The Discord Nuke 0:12:07

The Discord Nuke Bots Rabbit Hole

how to Nuke 0:02:19

how to Nuke a Discord Server Without Admin Perms 2024

Beluga's Discord Server 0:08:56

Beluga's Discord Server is a Toxic Mess!

Waking up 730,159 0:03:41

Waking up 730,159 people with @everyone

Jhaden ‘s Discord 0:03:37

Jhaden ‘s Discord server got nuked / ruined !

Trying to get 0:08:46

Trying to get ADMIN in Random Discord Servers (And Trolling...)

INVADING FURRY DISCORD 0:17:56

INVADING FURRY DISCORD SERVERS

Literally every Discord 0:00:35

Literally every Discord server owner when they get their first server boost

The Down Bad 0:14:40

The Down Bad Side of Discord

Typing 🥩 in 0:02:23

Typing 🥩 in vegan discord server...

DreamSexual Discord Server 0:00:34

DreamSexual Discord Server Ban Speedrun Any% [00:20.99]

Why you should 0:00:21

Why you should join my discord server! | Gacha

6 Ways to 0:07:42

6 Ways to Troll your Discord Friends (that don't exist)

Try Leaving this 0:08:02

Try Leaving this Glitched Discord Server!

When a Noob 0:01:00

When a Noob Joins Your Discord Server

His Discord nitro 0:02:18

His Discord nitro ran out...

Nuking a 12 0:00:35

Nuking a 12 YEAR OLDS Furry Discord Server

3 Discord Tips 0:00:22

3 Discord Tips And Tricks You (Probably) Didn't Know About... #shorts

HOW TO RAID 0:01:57

HOW TO RAID A DISCORD SERVER (WORKING) *FAST & INVITE + TUTORIAL*

Discord Raids Be 0:03:00

Discord Raids Be Like...

Комментарии
Автор

UPDATE: Double counter did a MASSIVE update that addresses all of the privacy issues.
- They have a way to opt out of the lens feature, both for a whole server and for a user across discord
- AND, if you request to delete your data, you WILL NOT get banned!

Nathan, the owner of double counter, turned this around immaculately. Massive respect and props to him. And thank you all for being constructive with your feedback and coming to this result.

Friendly reminder, these vulnerabilities were disclosed and FIXED before this video. From the Double Counter announcement and from what I saw, this was never exploited in the wild.

NoTextToSpeech
Автор

The fact that they ban you from every single server that uses DC just because you don't wanna be tracked is actually insane. Bottom tier company

StanleyMOV
Автор

"Military grade" never means "good" to those with actual military experience

donovian
Автор

People seem to forget that "Military grade" just means mass produced by the cheapest bidder

thephantom
Автор

As an individual with no servers i see this as an absolute win.

OoperB
Автор

ever since i heard someone say that "military-grade" actually just means serviceable, i haven't been able to take any of those claims seriously anymore

amorfatikhb
Автор

As a programmer who works with secrets and api-keys I am amazed at the sheer stupidity of double-counter. Like its honestly impressive that they are making these mistakes 💀💀

Ima nerd out here so you can skip this: sending API requests to private API (discord's API in this case) with your own private API key from the clients side is wild and should never be done (Its commen-sense/cyber-sec 101).

Edit: People (roblox script kiddies) in the comments are waging a war over if I am a "real" programer. I am a programer; I am a full stack dev and code/work with Node.js, Typescript, Next.js, Nest.js, Redis, Mongo DB, SQL, python, etc. And i do in-fact work with secrets and api-keys that need to be kept hidden and protected properly.

Edit 2: I started a war in the comments 💀

varram
Автор

Here's the thing: authorization is super easy to implement nowadays. Yet for some reason they thought basic clientsided encryption is the best way to secure their application. NEVER put any sort of security logic on the client, because it will be figured out one way or another. I hope everybody ditches this bot and never uses it again, because this is yet another example of idiots with some programming knowledge putting others at risk.

fusedqyou
Автор

I'm absolutely no Lawyer but Double Counter Lens sounds like its gonna violate the GDPR if the user does'nt explicitly agree to have his behavior tracked and data shared

notcallmehacker
Автор

as a cybersec guy myself, while i do specialize mostly in maldev, evasion, gamehacking and binary exploitation, i'm really considering finding vulnerabilities in stuff like this cuz of this

fxiqval
Автор

That lens thing honestly sounds like it's illegal in Europe. GDPR states users must explicitly consent to all tracking (not just cookies). Not sure if this being a discord bot is some kind of loophole though, I'm no expert.

JustTheJames
Автор

The moment I heard "This bot has Administrative privileges" my face almost went through my desk.

STOP GIVING BOTS ADMIN

JakeIGuess
Автор

I want to say that while what you mentioned would be definitely be bad, if you have a bots client secret you can essentially just write your own code and feed it that secret and you control the bot. I'm not sure why this wasn't mentioned, because with a bot's clientid you can just write code to have it loop through every server, ban every player, delete every message... you get the idea. While its certainly more fun and chaotic to give everyone admin if someone actually wanted to do damage they could have wiped every server this bot was in with some very simple code

pingupongoo
Автор

Military grade just means the cheapest that works

cron
Автор

Fun fact: Double counter will also ban you from any servers you try to join if you happen to have a sibling or someone else on your wifi network that also uses discord because it thinks you're an alt account

coletomlinson
Автор

So far, Discord bot developers are the only ones that seem able to take the cake from WordPress plugin developers in terms of outrageously stupid vulnerabilities.

Автор

As a person who doesnt use Double counter, I see this as an absolute win.

RoyBlox
Автор

That bot can destroy discord predator server

DjXavier
Автор

As someone who's made a few Discord bots, this is embarrassing. I have no clue how you write this code and don't expect something terrible. I'm not an expert, I'm not even smart. I'm just in awe. I hesitate to call the second issue a vulnerability, it's more like a backdoor. If you're using this bot, stop using it immediately.

ccgm_harpy
Автор

I've never heard of this bot, but I think it's great that I don't use this bot.

Prometheus_Alt