discord has a security problem
Vložit
- čas přidán 27. 08. 2024
- Discord accounts have been getting hacked and this method in particular caught my eye.
↣ Get Members only perks at iamlucid.com
pls subscribe: iamluc.id
★ STAY LUCID
↣ Get a real life V-Card
- iamlucid.com
↣ Donate crypto to lucid
- iamlucid.io
↣ WhatsApp Channel
- iamlucid.chat
- / discord
- / iamlucid
- / iamlucid
- / iamlucid.com
#iamLucid
About iamLucid:
I make videos on Lucid Dreaming, the Dark web, Self-growth, Virtual reality, and other thought-provoking content because the internet needs it.
discord has a security problem
• discord has a security...
iamLucid
/ iamlucid
Join the homies and intellectual discussions we have regularly iamlucid.gg
lucid get the webhook from the exe file (it should be in there somewhere) and you can get access to pretty much all the channels from their hacking server
Off topic but are u gonna make zenith vr vids?
Got banned for no reason, need help
Lucid makes the best vids
cant bc im banned 😭
Remember bois.
They can’t steal your money if you don’t have any money.
@@mo-fo joe dada
@@itzlqmer6084 cant make a your dad joke if you're an orphan
@@theincarnateofkurro but they can make an orphan joke. They can’t make an orphan joke if you’re dead
@@Ev3rly can make a death joke. cant make a dead joke if you never existed
@@theincarnateofkurro so everyone can make a joke on me rn???!?!??!?! 😭😭😱😱
Definitely something that the wider community needs to be aware and cautious of.
Hello
@@Berksys you should be asleep, and so should I 😂
@@mo-fo yessir 💪
@@r3za_ fam, if u fully knew me, u would know i never sleep
Bro he executed a random .exe file. That's something anyone should be aware of not to do
2:17 unfortunately, there's this whole community on discord dedicated to joining each others' servers just to get bigger servers and server boosts
nonetheless, great video bro
yeah its cringe asf
what no pussy and no life value does to someone
i own a 3,5k j4j server. it really helps server development and is a gift to the community!
nobody on your server is there for you, always remember that. pretty pointless if you ask me.
@@dayfay PAIN
this is like unlocking your door and opening it for a person holding a machete and then blaming the lock manufacturer for your injury
this would never happen if discord security is good
@@cushyuu This would never happen if people didn't join random servers with random people who aren't well known in the community
@@Matthewkyos thats not the cause of it
@@cushyuu Eh still people's fault for doing it
@@cushyuu Shit like this wouldn’t happen if people weren’t stupid enough to click untrusted links and download random ass files discord security is not the best but at the end of the day if you’re stupid enough to have this happen to someone it’s their fault not discord’s
Discord danger number 1 for me:
*Hentai Servers*
Any NSFW server.
lmfao
Coomer
@@Zoxxies yep
ayo you trynna trigger Lucid?
Everyone gangsta until 5 friends dm you about a hacker, then the hacker dm you
Im semi famous.
We watched the video, thanks
@@drilonkolica2044 no problem, glad to help you
4:24 they probably used a bot command to ban you, so they pinged you for the bot to know who to ban
yes
yes
I see
@@iamLucid bro casually responded 4 months after I commented this 😭
Wonder if discord will even shut their discord server down, or even take any action at all, if they knowingly neglect to take action against fraud on their own platform I'd imagine that end in a pretty nasty lawsuit.
There is no way for them to prevent this since tokens are saved locally on your device meaning malicious actors can send you a file that you run and it will dig through your computer for the token that is stored
It is not discord’s fault this is happening to people it is the users. People will just have to learn sadly
Never said it was directly, I'm simply pointing out the fact that if they're aware of this happening and don't at the very least try to investigate the wrong doings and take some sort of action, which is something they certainly can do, then they aren't contributing to solving the problem. Especially if there's a server being excessively boosted by stolen accounts which I'd bet is the case here,.
@@SpecialOpsPepe the servers that boosted so get taken down after it is reported
Discord is constantly shutting down tons and tons of scam servers - for example (not much of a scam server, but still illegal) the Synapse Roblox exploit server has at least been shut down and the owner's account deleted 100 times
Discord isn't responsible for yours or anyone's content uploaded to their servers. Same goes with Facebook and other social media's. Read the terms of use and community guidelines.
finally this comes to light i've been telling people about this forever
I suggested Discord to add a feature that emails you or texts you if someone logs into your account even if it is through token but they denied the suggestion...
Id the person loggs in your account you get a email with there ip address
A token isn't a log in. Treat it like they just took your computer and opened discord. A token is just so you don't have to constantly log into discord everytime you open it.
This wouldn't fix it, a token aint a password or logging you in, it is that "sessions" login, if you login you get a token, if that token is snatched then like roblox, you have to logout for it to reset, not sure if that works on discord or not
@@RealTkco When you login to token though you are sending request to them right?
@@Parritz Can't they make one? When loging in with token, they are requesting for the user they are logging into all their information in their account. They can just add a request when someone logs in whether it is through login or token and can send to the user email.
can’t believe some mfs are comping discord accounts just to boost their discord server ☠️ there is no worse level of Downbad
Imagine hacking someone just because you want a girl doing "cute" faces on your pfp...
fr, u getting no personal gain but boosts on a server, thats gonna get refunded then banned. so cringe
its not downbad its pathetic and cringe.
yup
I can't believe how big discord is, and it literally can not afford time for better security.
Discord can not fix this it’s sad to say but it is true
Your token to log into discord is saved on your computer meaning that when that file runs on your computer it heads to the file it is saved in takes it and sends it to the discord server
@@chrisi3311 Discord should make it so requests to the Discord API by the Discord Client will only be authorized if it is by the IP that logged in and validated said token, it will stop many of these attempts.
@@oppressormk2594 Better to bind it to some hardware combination of your PC. IP addresses change often.
smh people really got nothing better to do, stay safe out there y'all
Right it’s honestly rlly sad
*guy executes random executable from the internet*
*gets hacked*
"dIsCoRd hAs a sEcuRiTy pRobLeM"
this has been happening since like 2019. its not really big news but im glad youre bringing awareness to it. happens on roblox a lot too, people get scammed out of hundreds of dollars.
I dont understand why not more people talk about this issue. Especially Discord, I feel like they are doing nothing against this issue. Great Video lucid, thanks for talking about this.
Lucid I just wanna tell u that ur a really fucking good speaker I could tbh listen to u for so long without getting bored. Wish my teachers could be more like that
The fact that the literally log their stolen accounts on a DISCORD server should make it so easy to find for discord but they still dont... wtf.
It's like storing the money from a bank heist in the same bank xD
Yep it is pretty sad that they don’t check the discord web socket connections for the data that is being sent
@@TickingEnum I am talking about the malicious file that people click it sends the information to a discord web-hook usually.
I understand how Authentication tokens work, what I was saying is discord sadly does not check what is being sent through the web-socket connection
@@TickingEnum when you are sending the information to the discord web socket they are able to read it since it is going through there server if they realize a web socket is being used maliciously they can shut it down
Ain't it a webhook not a web socket
@@sebf98s90fh2 it is a webhook for discord under server management in any server you are a admin in. Sorry if I said web socket I was on mobile.
There is no way to prevent this sadly it all comes down to common sense if someone sends you a file through discord just don’t open it even if it is from your friend, The reason why there is no fix to this is because authentication tokens exist to make the login process quicker. With most of the code that is used to token log can all so be used for more sketchy stuff like stealing tokens for other websites since it is pulling the information that your browser has saved.
...so would you say instead of opening the file through discord that they are trying to link you then you should open the file in another tab and physically type out the address of the link of that file to see where it goes?
@@ReptilianXHologram no the file that they send you you can make into readable text see we’re the link goes to and then report that link to discord
This is no joke bro, discord has to take this seriously.
not discords fault. it's the users for downloading sketchy files
@@drownindesigner Correction: Discord's fault for hiring incompetent developers who put zero effort into making good security. User's fault for their lack of common sense.
@@Four-fi1fr it's not discord fault that ur token is leaked.
@@itsyaboivoid you just,gotta be careful.
It's not just discord, any popular platform is subject to this type of attack there isn't much you can really do about it personally, not even discord can do much about it. They can add better safety measures to make it harder but the attacks will still be there. It's not like discord can get rid of authentication tokens or cookies. There just really isn't anything you can do about it besides not downloading random things people send you.
That's why i use firefox which has a feature for encrypted password manager which i store my randomly generated passwords in and a auto-delete all cookies option when you close firefox.
Even a virus could not access my discord account or any other account for that matter
edit: if you don't wanna do that shit and give up your browser for firefox you could just enable controlled folder access on firefox folders only which will give you a message when a program tries to get into that folder tho i think it can be bypassed by viruses by disabling controlled folder access (But all viruses are dumb as shit so they wont do that)
Be careful out here.
my friend got hacked today on discord, i joined a discord call with 2 other friends and one was screensharing. the messages were about a virus about rating a game or something. I then went ahead and talked with the hacker, didn’t make any suspicions on purpose and asked him what his name was bc i “forgot” and the hacker replied with “lol stop kidding”. a few hours later my friend that had been hacked messaged me back saying “yo wtf i didnt send that shit” ya’ll stay safe out there, DON’T CLICK LINKS THAT LOOK DODGY!
bro this is seriously a felony, someone should contact the police or something because this shit can breach international privacy laws, passwords and other shit is sold maliciously online to other people.
i was in discord when they showed you the hack :D
its actually pretty interesting how fast it can happen and that it bypasses stuff like windows defender
All it does is read a file. Not a windows defender problem.
@@DrShockz It sure as hell is a windows defender problem, they are super anal about any exe you download why it wouldn't do the same for this malware is likely due to the fact that the user disabled defender on downloaded files thus its actually user error.
Sees notification on my phone.
Instantly deletes discord and THEN proceeds to watch lucid video
The token is the gateway to the entire API. There is no easy solution to change ALL of it without practically rewriting discord.
8:30 "It's not anybody's fault besides discords themselves."
It absolutely is not discord's fault. It is almost entirely the fault of the end user. Running a random executable someone gives you is breaking the #1 rule of using the internet. Even if it's from a friend that you supposedly trust, you have no idea what that executable can be doing, as you cannot see the source code.
Also, you should Never, never, never, NEVER store credit card information or information regarding your personal address in plaintext. Never. That is a commandment.
So even if this person had run the executable, had they not stored their personal information, the breach of security would have been much less severe. It's not that hard, just type it in every time you want to pay for something. Better safe than sorry.
Regardless, there is more than discord could be doing to mitigate this issue. For instance, if someone sends you some sort of file that executes some sort of code or process on your machine, discord could display a caution before you download, along with some basic internet safety tips. But when you say discord is completely at fault, what exactly do you expect them to do? Disable uploading executables? Require executables to be from a verified publisher? Do away with tokens? Filesharing on discord is merely a tool, and a tool can be used for both good or bad. But if you're ignorant and automatically trust every file that is sent your way, you are practically asking to have your account breached/stolen.
Bruh exactly lmao, this guy is over exaggerating this a lot too, it made me cringe a few times. He acts like its such a big deal and like hes so unlucky that it happened to him when in reality its the internet and if you expect anything less you shouldnt even be on the internet, and then he blames shit on discord themselves rofl
you do understand that your ID translated to base64 gives the first half of your token right? after that its just a few minutes of bruteforce and bobs your uncle. Its not always the user's fault.
@@WSH3TM Regardless if you have the first "half" of the token, which is, in fact, an encoded version of your ID, there are still 32 Base64 characters left that you would have to guess. I'm not sure you realize how many possible permutations a length of 32 Base64 characters can produce, but I will leave you to do the math for yourself. Let's assume that the wordlist you've generated isn't around the number of atoms that exist in the observable universe, do you have any entire how long it takes to bruteforce a secret over the internet? You would have to have an interval between every login attempt to avoid being rate limited or even a timeout, which severely increases the time it would take to bruteforce it.
Yes, it does contain your user ID in *some* of the token. But Discord isn't stupid. There's a reason it's used, and it's not inherently insecure. The only way, in this case, that you would be able to grab the token is by having admin permissions on the user's local machine at the time of logon. And how do you do that? You guessed it, an executable!
@@WSH3TM This isn't even remotely true. Also goodluck brute forcing that lmao, that will take millions of decades.
Are you crazy? I'm losing brain cells talking to you give me your username and ill let you talk to my friends
funny thing is its not even hard to do so grabbing tokens, discord needs to fix up their security shit no kizzy
edit: it got taken out of context
What should they do? Not use cookies for authetication? It's not discords fault that people execute random files on their PCd
@@Cookiekeks exactly there is no way for discord to fix this authentication tokens are in Maloney every website/web app. There is not way for discord to fix this hades
@@chrisi3311 Exactly.
@@Cookiekeksand its not peoples fault that they open up exe files from people that they trust, the thing that discord could do is that the exe file seems to be suspicious are you sure you want to open it, cuz sure as hell they put it on links.
@@hades7059 How the heck should discord warn you when you open random files on your computer? Should it track every file you open??
*Lucid: they kept running, why are they running*
*Me in my head: WHY aRe YoU RunNing*
😂
Make sure to eat and stay hydrated homies
Same for me and of course
That's why you should most of the times always "Delete payment method" if you're worried about this happening
My Discord server isn't huge (865 members) but we've had a couple of "Free Nitro" spam attacks. It was from a new account so I set Dyno bot to autoban newly created accounts to help with security as much as possible. This hacking/spamming/trolling thing is so annoying. Thanks for bringing this to everyone's attention!
I disabled links and blacklisted csgo nitro
this shit was crazy bro
7:59 😂😂
I was shocked when it happened and Zead told us about it , and still am . Please stay safe and always question links sent even by your closest friends until discord solves this !
Thats literally why I question every link my friends send me even with my hacking knowledge vpns static ip etc. I still question links
Yeah this is why I don’t put any info into discord. They really need to fix it so people can’t just take some letters and numbers to have ur info
Ngl I don’t get why ppl get hacked so often it’s not difficult to stay safe nowadays.
I think when it comes to making your own bot for your discord server, there should be some more verification steps. Most people don't really care about the idea of a strong system. This becomes a problem when it's people you cannot trust making programed bots.
official bots already do, you cannot add your own bots to other servers without the administrator approval, however these petty scammers are using NORMAL ACCOUNTS to make bots, which is against tos.
I disagree with you about how it's discord's fault. The user ran that file not knowing about the token/cookie logger. It's no one's fault however I do believe discord can improve their auth system by making the auth token change every time you log in or log out, or just overchange every 24hrs. This will avoid hackers because it will expire the old token and have the new token in place.
If you run the code though they could easily get persistence and just constantly watch your PC for token changes. All discord can really do is warn people about random files.
@@withincode6848 yeah honestly, just don't download random fucking things
You are barking up the wrong tree here. That's pretty unreasonable. A JWT token is stored in their database, each user is assigned it. you aren't thinking about scalability at all. the token should only be changed when a password is changed or such. if everybody token changes every 24 hours or when they log in/out that means millions of database writes JUST to change tokens. think about that, added onto the already millions of messages per day. that would scale horribly and would cause them to need to spend much more on actual computer hardware rather than making more features.
@@alaninnovates6353 tokens are changed every time a user logs in. It's not that hard on their servers lol. Literally all you have to do to prevent them from doing this is (if you've already logged in and they stole the token) log out and log back in on another uncompromised device. The way that you describe a JWT token literally points to the fact you have no idea what you're talking about. Tokens aren't used for anything besides user sessions.
@@lillious Are they? Last time I checked, they were only changed when you changed your password, which is how the token is generated in the first place. Additionally, JWT's are used for authentication on the backend, sent from the frontend (normally) as a header. Any request to discord's API requires you to have a token. They are not JUST for sessions. They are for the authentication of every single request.
A big server got hacked too and all the channels and mods where banned luckily it wasn't the owner but its so crazy how easily you can get hacked just for the hacker to ruin the server . Honestly discord needs to do something soon or it's gonna be one big fine
ive been in multiple servers warning people to not download stuff like that. no offense to your friend but its kinda his fault, its common sense to not download that kind of stuff
Token Grabbing is so dangerous
Fr i remember someone got token logged in my server
Ayo lucid! it’s always feels good to see you ly❤️
I've talked with several discord employees because i have friends who knows them irl, they keep saying they are working on it but i never see any improvements, this could be fixed EASELY, but they simply dont care, why do you think they dont allow more than one nitro refund? Well, because if you get hacked again, or someone hacks you and you dont notice then they are the ones getting the money. Discord does NOT care about their members, not even the people making their platform work, the server owners.
bein tgd ain a problem on just discord, issa problem everywhere
This is in no way, shape, or form Discord’s fault. It is not Discord’s fault that they downloaded something and ran it. I should also add that no one just ‘gets hacked.’ If someone gets hacked they always ran something, clicked something, etc.
Hes really lucky they didn’t completely take over his pc since it wouldn’t be hard for them to do so
Steam scam is taking over discord right now, I'm moderator in a server of 100k members and I ban more than 5 users everyday sending nitro links which is really dangerous if u click it
Appreciated this video ❤️
happened to me as well, but discord does not give a fuck "you need to protect your own account" apparently
Imagine a place..... where hackers and pedophiles and scammers exist.
''Discord has a security problem''
Yep, the floor is made of floor
This happened to me a year ago so I know how scary it is, stay out there everyone.
at this point Don’t trust ANYONE on discord, don’t trust any suspicious message, make sure you monitor how your friends talk and make sure you don’t get scammed because if these people get a hold of your address or IP it’s over. 😕
I think you just shouldn't download stuff from your discord "friends" because as you can see its no good
Common sense can't be taught sadly
Someone needs to reach out to someone that works for discord or some shit because they can’t stick with the same security that they have right now.
We gotta protest
one thing to always remember: NEVER CLICK LINKS FROM RANDOM PEOPLE
Discord's security system was always trash and always will be. My account was hacked like 9 times and they don't seem to give a shit even after I've emailed them.
3:41 bussy 🥶🥶
Dang i never knew Discord security was this bad
@@Parritz fax, It rlly takes less than 2 lines of code in an exe to completely destroy your windows
@@Parritz it is
tokens should just change at every login
When my account got hacked like 2 months ago, I emailed Discord so many times, so many dudes I tried to work with, but none helped me out. a few weeks later my account is deleted. Discord has a serious security and support issue.
Tip to keep your account relatively safe:
After every purchase on your discord account, clear/delete the credit card information off of it. If you have nitro, fill in the card information the day before you're supposed to be charged, then remove it the day after. It's a pain in the ass, but it will keep your credit card info safe even if someone logs into your account.
I can't believe discord security is so bad that we have to find ways to prevent hackers on our own.
The fuck do you even get with nitro?
Their probably were using Lunar Builder binded to Itrouble, or mercurial. most likely Lunar, how I know is I used to do that, except i never carded someone
I was thinking it's more piratestealer type deal
Token Logging, token Generating and more is widespread but it's common on Discord due to it's notoriety and benefits. Tokens are a common authentication method is not a security issue that someone downloaded a file onto their PC and got logged, generating has a low percentage of working so that can easily be ignored for now and it's so easy to change your token; all you have to do is change either your email or your password.
this is why most higher ranked people should have 2fa enabled, token logged accs can be reset after changing password and the token resets
Bro actually went that far for fucking discord nitro
Imagine being that broke
Instead of buying nitro on my main account. I get a google play giftcard and log into a alt and gift nitro to my main so then if my account ever gets hacked they cant get my address etc
this has been a other issue too with a russian hacker who hack steam and discord accounts from there they promote nitro and csgo skins and knifes its the same message and its really big
My discord got hacked like 3 weeks ago so I can understand your frustration lol
simply: dont download sketchy shii
I actually fell for one of these and my account got compromised. But, revenge story: when they didn't suspect Discord Support would be able to recover my account, I recovered the account and much to my surprise the account had admin in a lot of shady, phishing-esque servers, and I DELETED all of them channel for channel, person for person. Isn't that just hilarious? LOL. Anyways sorry this happened and hope you guys give these shitheads what they deserve.
boys i just relapsed on nofap. i failed nnn. all good tho we start over. we take those. i will never give up
I made a ticket 5 months ago to help them make a good security, but they said " We don't need your help.." and stuff
Love From Bangladesh 🇧🇩❤️
Deng I remember when lucid had nice luscious hair in his videos 😭 now I think he don’t care be rolling out the bed n shit lmao
It’s crazy because they have all these protocols to prevent pulling ips, but zero shits are given to the actual account token itself. It’s kinda bullshit tbh.
I feel like all these social media sites done really give a fuck about anyone besides themselves it’s all about the money and popularity
This was very interesting lucid
If discord allows pedos and other shit, getting hacked should be expected
My day always gets better when you upload man. Keep it up.
Ok so don’t call a hacker they can pull ips from being in a call with you(if you don’t have a vpn) like this so lucid sees this so he knows in case he didn’t
What’s really frustrating is how much Discord is dragging their feet on these issues
Excuse me, it is not Discord's fault, it is the fault of the person who runs the virus.exe smh
i had a friend, i meet him over CS:GO, he seemed like a nice guy, we haven been playing lots comp games. He invited me to a server with his friends, we dm us very often , just incase if one of us was curios if somebody had time. AND THEN he send me a file wich said (i deleted the chat) but basicly it was a virus. somehow i didnt got a virus, maybe there was a secret anti virus i didnt knew was there, then one of the server members contacts me and said: "hey your friend hacked my steam account, can you try to get it back?" i messaged him through discord and steam, but this were just his alts, he never responded.
get to know the person, ask some questions like where your born and whats the name, i know, its sends some creepy vibes, but do so much activites together and if he trusts you, you can trust him.
Yeah i got hacked as well a while back, the discord team did NOTHING to help me, I had to get my friend to rehack my acc to get it back
It's not discord their fault. Authentication tokens are required for everything and discord's authentication tokens are very secure and cannot be brute-forced. Not their fault some 14-year-olds run every .exe file he sees.
Discords security is absolutely horrible and I know multiple computer science majors who agree with that.
@@theinspector9392 show me some proof then
This token-grabbing stuff has been going on for way too long on Discord. Hopefully, Lucid making this video will make Discord realize how huge this flaw is and how much it impacts Discords' users.
My friend recently got hacked by an account from New York and we live no where near America and once it was hacked it spammed his dms with p*rn bot servers but thankfully his acc is back but discord really needs to fix this security problem
Say cap all you want but when that discord sound went off I Gota discord notification lmaoooo
He's acting like malware is preventable lmaoo, it isn't discords fault, it's theirs for downloading it.
Anyone from India?? ❤
Nah bro
discords token grabbers are always updating and everyone is a google search away from setting one up. just dont download anything unless ur friend confirms that it is save and you are sure that he is the one
my discord account actually got hacked almost 4 weeks ago, my email got changed and i've opened so many discord support tickets but still no progress no replies no help from the discord team this is so pathetic i actually gave them any information they needed but they seem like they don't care.
Discord has now gone so far they've even started rolling out a feature where it asks you to accept someone's first dm to you because some snowflakes click anything they see on the internet.
@NamedBinaryTag I know it's not discords fault I wasn't blaming them
@UCxjIeYp-d3MRZCqa0tkdQ8Q watch the video poopooo
@@cushyuu who you talking to
@NamedBinaryTag thats not my point, the guy i replied to said "random person", its not.
@NamedBinaryTag oh youre right
My boy uploaded
Feel this yeah, discord acc randomly got hacked (didn't download anything or do ANYTHING AT ALL) and it was just gone. Got it back, but barely managed to, discord said it was impossible for me to get it back, as they thought I was hacking it, as their security is "next level" convinced them to give it back to me tho
You’re never supposed to respond or open it because that’s another way they are able to get your info off that.
They can get info just by replying to the message ?
my friend got hacked 3 times like this, and then he messages every every every facking friend the hacker messaged to say it was not him, respect to the people who get hacked :(
I’ve been hacked 6 times now, 3 accounts had nitro and it was consistent. I lost so many friends because I never got to remember their tags..
I actually got hacked once on discord, but I didn't download anything. I just one time saw an email by discord saying 10$ was spent on my account, I immediately unlinked my card and luckily got my money refunded.
Fun fact if you attempt this the bank will find out, If a federal agency asks for the information from your vpn company they will give them your IP, Vpns actually store your IP.
ok so happens if i use a proxy chain or a VPN hosted in countries that have strict privacy laws