Discord’s preview bot redirection vulnerability

10 months ago 66
BOOK THIS SPACE FOR AD
ARTICLE AD

Le Noctambule

Every social media and messaging app out there uses a system to preview links which consists of a bot that visits the page and generates a preview by gathering og data, embedding videos, images, etc … Mainly, to keep the users from leaving their lovely and addicting apps.

However, if you manage to lure that bot into sending its request on the wrong page then it’s a goldmine for the bad guys since it’d allow them to display previews of legitimate websites under malicious links.

And this is where it leads us, to Discord. There’s a bug that is actively used to send fake invites, to increase success rates of website spoofing. The bug involves sending two URLs separated by a bunch of spoiler markdown characters to generate a preview of the second URL and ignore the first. It’s been a year and this bug still hasn’t been fixed.

This bug led me to find another one by going through the assumption that this bug is only possible if the message is parsed by the Discord preview bot after it has been converted to Markdown. I’ve tried a few things and I’ve realized that backquotes can potentially be abused because it behaves this way :

Before markdown : “Hi, this is a `test`”
After : “Hi, this is a <code>test</code>”

So if the markdown code is parsed to generate previews then we could craft a URL such that it visits the first part for preview and sends the user to the second part.

Before markdown : “https://www.youtube.com`to_be_ignored_by_the_bot`"
After : “https://www.youtube.com<code>to_be_ignored_by_the_bot</code>"

This payload still generates the YouTube preview, however, when we click on the link it will send us to https://www.youtube.com%60to_be_ignored_by_the_bot%60/ which isn’t useful.

So now, all we need to do is find a trick to make the URL go where we want it to go and one way to do it is to abuse this special URL format http://login:password@website.com which is a deprecated way to pass credentials through an URL. This way we can use the login part to send the target of the preview bot and the second part for our malicious website.

So this message https://www.youtube.com`@lenoctambule.dev/?` will send the preview bot to www.youtube.com and will send the user to lenoctambule.dev. Luckily, this deprecated format is no longer supported on mobile phone browsers, Chrome and Edge. This will cause the first part to simply be silently discarded on these browsers but will display a warning on Firefox.

Here’s how it will display to the user :

And voilà! The URL above will send us to my website and the preview to YouTube. Sadly, this bug was not accepted by Discord as “phishing and social engineering” isn’t their concern (their words not mine).

A lot of the blackhat activity and economy consists of website spoofing, luring users into logging in and handing in their credentials. And since it can’t be done asynchronously because of 2FA, access to the real-time activity of these websites is then sold as a service to people who will try log into the accounts. (see an example here where I take control of a telegram logger bot). It’s a real ecosystem and the better your website is, the more people will pay for access to the logger.

Since those phishing URLs are distributed massively, it does not matter to them that most people won’t click, however, every percent counts and they are using tricks such as homograph attacks, XSS, redirection vulnerabilites to increase that success rate.

This is why these bugs need to be fix to make the internet a safer place for everyone.

I’ll leave this here for Discord devs if someday they want to fix these bugs for good instead of using bubblegum and duct-tape. This bug can easily be fixed by moving the URL parsing before the conversion from Markdown syntax to HTML.

Read Entire Article