Discord, the platform we all love. It's so seamless. It allows you to communicate with friends, play games together, and way more. It's so seamless in fact, that nobody really thinks about the security behind it. Nobody really assumes that a platform so large could have a privacy/security issue.
But alas, that's why I'm here writing about this.
Discord's history in security
Discord generally has a really good track record of fixing issues as soon as they find them. However, a lot of these issues are reported through their HackerOne.
This isn't bad at all, and it's amazing to see companies taking a better stance towards vulnerability disclosure.
For Discord specifically, there's a lot of passionate people who report security vulnerabilities for $$$ or "badges" on their user profile. Discord calls them "bug hunters".
After seeing these people and how open they were, I wanted to try and find a vulnerability myself, and so I started messing around...
How I found the issue
For context, I used to help own a very large Discord server with roughly a quarter million members. My main role was to be the technical aide to the owner.
As apart of this, I helped manage the Discord server's permissions, roles, etc. As a part of this, in an effort to increase security, we made the decision to remove raw Discord permissions in favor of bot permissions. This allowed for us to control when or if a user could be banned, and also allowed us to more easily strip away permissions without a catastrophic event.
We also employed AutoMod, which is Discord's built-in moderation tool. It can automatically time out users for certain words, having a certain word in their username, and more.
When we deployed AutoMod, we had it output its logs to a logs channel in our server, only visible to people with the "@Staff" role, for obvious reasons.
What the issue is
As a part of this strip of Discord permissions, I also removed myself from permissions to ensure maximum security.
However, when I was on my iPhone, when I checked the AutoMod channel, I was able to see if a user was timed out or not.
While this may not seem like a large security issue, Discord has stated in multiple FAQ's that only people with Discord permissions are able to view if members are timed out or not.
To reproduce this, I made this video (click to watch):
Reporting the issue to Discord
After confirming that this was indeed an issue, I promptly reported it to Discord's security team:
After a few months, I finally got an answer:
TLDR:
- The issue was marked as low severity
- Since it wasn't a pressing security issue, there would be a long SLA until it's fixed (i.e. they don't plan on fixing it until more pressing things are fixed)
- They gave me a $100 bounty!
Aftermath
This was my first ever bounty, and I'm very grateful to the Discord security team for taking issues like these seriously.
for those wondering, I spent the $100 to go towards a new magsafe charger :v