📄

Report #22958

Report Date
August 7, 2023
Status
Closed
Payout

Beanstalk official discord server takeover (https://discord.gg/beanstalk)

Report Info

Report ID

#22958

Report type

Websites and Applications

Has PoC?

Yes

Target

Impacts

  • Redirecting users to malicious websites
  • Direct theft of user funds

Bug Description

When a web application has any pages, sources, links to external 3rd party services and are broken then the attacker can claim those endpoints to successfully conduct the attack and claim those endpoints on behalf of the target website and impersonate his identity

I have posted the news that shows what can be the real impact

Impact

Many people will become victim because they are visiting the discord channel from the main page. The attacker can create same channel like beanstalk discord channel

and post malicious content like ransomware trojan etc on the discord which leads to theft of user fund Steal sensitive information like location, email, number etc

Redirect to the malicious website ( discord server)

References

Proof of concept

In the header click on . . . 3 dot and click on discord icon

you will get invite invalid

open discord and click on your server setting

click on vanity URL

The discord channel is full takeover

BIC Response

This is not a valid bug report because Discord link hijacking is considered out of scope (OOS) due to its classification as a low-severity issue according to the Immunefi vulnerability severity classification system (https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/). We do not provide compensation for low severity Website and Applications issues.

Due to these reasons, we are closing the submission and no reward will be issued.