Discord Broken Link Hijacking
Report ID
#22026
Target
Report type
Websites and Applications
Impacts
Persistent content spoofing / text injection issues
Has PoC?
Yes
Description
I have found a Broken Link on the Web Application (https://docs.roottoken.org/resources/links). At the "Links" section of the page, a Discord Server link has been provided. But the discord server joining link 'https://discord.com/invite/rootmarkets' is no longer valid.
This Broken Link can be hijacked by an attacker by creating a discord server that points to the expired link. Everyone who tries to connect to the official Discord server for support will be connected to the attacker-controlled server.
Impact:
This Broken Link can be hijacked by an attacker by creating a custom invite link of his server, the same as the expired link. Everyone who tries to join the official Discord server will join the attacker-controlled Discord server.
An attacker can use this Discord server to spread misinformation regarding the Platform, harm the organization's reputation, or simply carry out phishing attacks. All the users who join Discord for help will be contacted by the attacker and the users may end up providing sensitive information to the attacker.
Recommendation:
Please update the discord invitation link with a valid server invite link to prevent this vulnerability.
Reference:
Proof of concept
The broken link can be hijacked using discord custom links. The same link can not be generated again, but the attacker can register a custom link same as the expired one.
You can check the 'Custom Invite Link' feature provided by Discord:Â https://support.discord.com/hc/en-us/articles/115001542132-Custom-Invite-Link
Detailed steps for link hijacking:
The expired link available on the web page was 'https://discord.com/invite/rootmarkets'.
To hijack the broken link, an attacker simply needs to create a custom link with the same ID as the previous one. The attacker-created link will look like 'https://discord.gg/rootmarkets'.
Here you may have noticed that the attacker-registered link starts with 'discord.gg' and not 'discord.com/invite'. But with registering the 'discord.gg' custom link, 'discord.com/invite' link will also get registered to the same server.
(This is because 'https://discord.gg/rootmarkets' redirects users to the 'https://discord.com/invite/rootmarkets')
Now the broken link 'https://discord.com/invite/rootmarkets' will be registered by the attacker and the site users will be redirected to the attacker-controlled Discord Server.
Please find the attached document for your reference.
BIC Response
This is not a valid bug report because it refers to roottoken.org, which is not an in-scope asset. Even if it were in-scope, this issue would not be persistent spoofing and a Discord server on its own cannot cause a user to lose funds.
Due to these reasons, we are closing the submission and no reward will be issued.