Report #22958

Report ID

#22958

Report type

Websites and Applications

Has PoC?

Yes

Target

https://app.bean.money

Impacts

• Redirecting users to malicious websites
• Direct theft of user funds

Bug Description

When a web application has any pages, sources, links to external 3rd party services and are broken then the attacker can claim those endpoints to successfully conduct the attack and claim those endpoints on behalf of the target website and impersonate his identity

I have posted the news that shows what can be the real impact

https://www.vauld.com/insights/baycs-discord-server-hacked-again/ https://www.theblock.co/post/145432/opensea-discord-account-hacked-to-promote-scam-nft-pass

https://fortune.com/2022/06/04/bored-ape-yacht-clubs-discord-server-was-hacked-with-360000-in-nfts-stolen-blame-debated/

https://www.coindesk.com/business/2022/06/04/yuga-labs-confirms-discord-server-hack-200-eth-worth-of-nfts-stolen/

Impact

Many people will become victim because they are visiting the discord channel from the main page. The attacker can create same channel like beanstalk discord channel

and post malicious content like ransomware trojan etc on the discord which leads to theft of user fund Steal sensitive information like location, email, number etc

Redirect to the malicious website ( discord server)

References

https://bugcrowd.com/disclosures/40a60d98-cc7d-40eb-9e5b-87632875f055/discord-link-expired-possible-vanity-address-could-be-used-to-link-a-malicious-discord-server

Proof of concept

visit https://app.bean.money

In the header click on . . . 3 dot and click on discord icon

you will get invite invalid

open discord and click on your server setting

click on vanity URL

put this URL https://discord.gg/beanstalk

The discord channel is full takeover