Beanstalk official discord server takeover (https://discord.gg/beanstalk)
Report ID
#22958
Report type
Websites and Applications
Has PoC?
Yes
Target
Impacts
- Redirecting users to malicious websites
- Direct theft of user funds
Bug Description
When a web application has any pages, sources, links to external 3rd party services and are broken then the attacker can claim those endpoints to successfully conduct the attack and claim those endpoints on behalf of the target website and impersonate his identity
I have posted the news that shows what can be the real impact
https://www.vauld.com/insights/baycs-discord-server-hacked-again/Â https://www.theblock.co/post/145432/opensea-discord-account-hacked-to-promote-scam-nft-pass
Impact
Many people will become victim because they are visiting the discord channel from the main page. The attacker can create same channel like beanstalk discord channel
and post malicious content like ransomware trojan etc on the discord which leads to theft of user fund Steal sensitive information like location, email, number etc
Redirect to the malicious website ( discord server)
References
Proof of concept
visit https://app.bean.money
In the header click on . . . 3 dot and click on discord icon
you will get invite invalid
open discord and click on your server setting
click on vanity URL
put this URLÂ https://discord.gg/beanstalk
The discord channel is full takeover
BIC Response
This is not a valid bug report because Discord link hijacking is considered out of scope (OOS) due to its classification as a low-severity issue according to the Immunefi vulnerability severity classification system (https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/). We do not provide compensation for low severity Website and Applications issues.
Due to these reasons, we are closing the submission and no reward will be issued.