How Discord let anyone @everyone
Your mentions are safe, but let's see how in early 2023, a vulnerability in Discord allowed the mention @everyone permission to be bypassed.
Discord, as a messaging service, constantly add new features to the messages you can send. Unfortunately, a handful of times, this has allowed a few @everyone permission bypasses to slip in. We'll dive into how these issues were found & how Discord rolled out changes to prevent future abuse.
The @everyone permission
Before we dive too deep, let's talk about the permission this vulnerability bypassed. The perm in question allows a user to mention @everyone, @here AND all roles within the server. This is important to remember, we'll come back to this later. Discord considers this a 'Dangerous Permission' and forces you to disable it for normal users before being able to make your server into a community. Of course - you don't want random users pinging your entire server.
Promising beginnings
Often, I'll discover a vulnerability while exploring other issues I've found. This is the case for this vulnerability. Back in early 2023, I discovered that thread name update messages would always have the embed links permission, and would always embed any link you set the thread name to. This message type was re-used in threads & initially introduced to the Discord app for Group DM channel name changes. This meant we already had a permission bypass - but what other permissions could be bypassed by these messages, and why did this bypass the permissions?
Message types & re-use
In a handful of situations, Discord will sometimes send a message on your behalf. This happens when you start a call in a DM, when you change the name of a Group DM or change the name of a Thread (as you can see above). As we can see below, when I update a Thread's name, this message is sent:
{
"type": 4,
"tts": false,
"timestamp": "2024-05-28T00:27:19.502000+00:00",
"position": 1,
"pinned": false,
"mentions": [],
"mention_roles": [],
"mention_everyone": false,
"id": "1244809194906062858",
"flags": 0,
"embeds": [],
"edited_timestamp": null,
"content": "name changed",
"components": [],
"channel_id": "1244809150525866025",
"author": {
"username": "panley",
"public_flags": 4588096,
"id": "249287049482338305",
"global_name": "panley",
"discriminator": "0",
"clan": null,
"avatar_decoration_data": null,
"avatar": "ef8b8bb214443a639d84e00e89119677"
},
"attachments": []
}The first important thing here - The name of the channel is served through the message content. This means the name of the channel will be treated like any other message content & will resolve both links and mentions. This is where the security vulnerability rears its head, messages that Discord generates on your behalf like this used to bypass all permissions. This message type is CHANNEL_NAME_CHANGE in the table below, or type 4. This issue also existed with servers called <<@everyone>> resolving mentions in type 12 or CHANNEL_FOLLOW_ADD messages too.
Report time
So, we've identified the vulnerability, time to report it to Discord! While reporting this issue, I rapidly identified other issues, including other vulnerable message types and additional bypasses. It seems messages generated by Discord on your behalf got special treatment in a lot of ways - likely an early oversight as these kinds of messages have been in Discord for years. The report was triaged by Discord in 3 days & fixed after a few weeks - considering the low severity this is a good response time!
Report time 2: Automod Boogaloo
Much later in 2023, I decided to take another look at these message types & see if any vulnerabilities persisted. At this time, automod was well known to have bypasses & many Discord security researchers had submitted reports for it. With this in mind, I decided to see if thread name change messages could bypass Automod and wouldn't you know - They did! However, Automod was especially vulnerable so Discord moved it to best-effort during the triage of this report.
Best-effort & out of scope assets
There's a lot of things Discord won't take reports for, usually because they're especially vulnerable, the attacks are not deemed valid due to fix impossibility (like brute forcing, social engineering) or the asset uses non-Discord infra (like the blog). This list constantly evolves as vulnerabilities are reported.
How Discord fixed the underlying issue
The primary issue is one I highlighted very early on in my first report:
Additional note that type 4 messages cannot be deleted, meaning moderators cannot intervene by deleting type 4 messages that mention users/roles/everyone/here.
Moderators should, ideally, have the power to delete these messages. As Discord was generating them on your behalf, these special 'system' messages were immune to deletion. This led staff to make many of these message types deletable & the community to fully document this property of message types.
Should I still be worried?
Nobody is pinging @everyone without permissions right now. This issue and the underlying cause were sufficiently addressed by Discord's Security team. If you're ever worried your server might not have it's permissions properly set up, make sure to try out the 'View server as role' feature. This will let you test & see if you're able to resolve @everyone/@here/role mentions as an average user. Remember to use category syncing to keep your permissions clean too!
