This was done to prevent attackers from stealing master tokens, by convincing the targets to open LocalStorage through screen share.ĭiscord also shows a pretty warning, informing users about the risks of pasting unknown code into the DevTools console. It also hides the token variable, containing the master token's value, from the storage. DevTools allowed them to extract the master token, through revealing the contents of Discord's LocalStorage.ĭiscord now purposefully renames the window.localStorage object, when it loads, to make it inaccessible to injected JavaScript. In this thread you can read how attackers managed to convince the target to do a screen share from their computer with Chrome DevTools opened, on the side. Here's how, a□- Little Lemon Friends January 3, 2022 If you are a project founder/admin, this is IMPORTANT. There is a hack/scam(bypasses 2fa) that scammers are using to compromise discord accounts. First, attackers will create a story to set themselves up as a people you can trust, who will resolve your pressing issue, like unban your account on a Discord channel or elevate your community status. Deception TacticsĪttacker's main goal is to convince you in any way possible to reveal your account token, with the most likely approach being social engineering. Now that we know what the attackers are after, let's analyze the attack flow. When they manage to extract the master token from your account, it is game over and third parties can now freely access your account, bypassing both the login screen and any multi-factor authentication you may've set up. That single line of text, consisting of around 70 characters, is what the attackers are after. This token is the only key required to access your Discord account.įrom now on I will refer to that token as the master token, since it works like a master key for your Discord account. When you log in to your Discord account, either by entering your account credentials on the login screen, or by scanning a QR code with your Discord mobile app, Discord will send you your account token, in form of a string of data. I encourage you to contact me or at if you feel I missed anything or was mistaken. Please bear in mind that this post covers my personal point of view on how I feel the mitigations should be implemented and I am well aware that some of you may have much better ideas. In this post I will be explaining how the attacks work, what everyone can do to protect themselves and more importantly what Discord can do to mitigate such attacks. In recent weeks I thought the attackers are using some new reverse-proxy phishing techniques to hijack WebSocket sessions with similar tools to Evilginx, but in reality the hacks, I discovered, are much easier to execute than I anticipated. My focus is going to be purely on Discord account security, which should be of concern to everyone using Discord. They take over admin accounts in cryptocurrency-oriented communities to spread malware and launch further social engineering attacks. Hacking Discord accounts has suddenly become a very lucrative business for cybercriminals, who are going in for the kill, to make some easy money. Discord has somehow become a de facto official messenger application among the cryptocurrency community, with new channels oriented around NFTs, popping up like mushrooms. For the past couple of months, I've been hearing about increasing numbers of account takeover attacks in the Discord community.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |