Sign in
security

The $3,500 bug in Discord's Unreleased Experiment

Ever wanted to report a Bug Bounty to Discord? This article will cover the basics of the report process, using a critical vuln as an example!

Panley

5 min read
The $3,500 bug in Discord's Unreleased Experiment

Discord has bugs. All platforms have bugs. But Discord works very hard to make sure as few bugs as possible hit production, with a dedicated security team addressing HackerOne reports. Here's how a critical security vulnerability was found and patched before this feature even entered it's final iteration.

What is a Security Vulnerability?

There's a lot of bugs out there! Some are mild visual bugs, some crash your app, but the worst breed of all allow dangerous actions from attackers. A Security Vulnerability is a bug or issue that allows an attacker to perform actions they should not, typically, be able to. There is a lot I could explain here, but I'll keep it short. You can read more here.

The tl;dr is that there's a set list of specific vulnerabilites any given company accepts, and a severity score is calculated based on the vulnerability and how it's achieved. Anyone being able to delete any server is critical severity. A thread name ignoring automod is probably low severity.

Image showing the CVSS calculator used by hackerone, using CVSS 3.1. The attack vector, attack complexity and privileges required are show, and set to network, low and none respectively.

What is the Unreleased Feature?

Sometimes, before you run you have to walk. And Apps in DMs walked so User Apps could run. This security issue was not present in User Apps but rather Apps in DMs, the predecessor. You might wonder what the difference is? Well, to be candid, everything. The UI, the API, the use cases and the goal of the products were entirely different. User Apps is a new feature by Discord, allowing Apps (Formerly Bots) to be used in Discord's DMs & Group DMs. You can read more about them in Discord's announcement and this Help Center Article.

A two-image demonstration of someone adding an app called Meal Time to their account. The first image shows an App’s “Use App” button on their profile. The second image is a prompt asking a user whether they want to “Add to My Apps,” or “Add to Another Server.”
Source: https://discord.com/blog/headed-to-gdc-2024-check-out-the-latest-news-for-discord-game-devs

What was the vulnerability?

The core of the issue was with the concept of DMs and the concept of Apps mixing. At the time of the earliest tests, DMs didn't really have a solid concept of permissions. You could just DM someone or not DM someone, with strange exceptions like being able to pin messages when you can't otherwise send any. This vulnerability was another one of those exceptions.

A Discord DM from the perspective of Panley, talking to deleted_user_0f12b5f97cad. Panley attempts to say "hi" and is shown an error by Discord: "Your message could not be delivered. This is usually because you don't share a server with the recipient or the recipient is only accepting direct messages from friends. You can see the full list of reasons here: https://support.discord.com/hc/en-gb/articles/360060145013"

One of those exceptions

You might have guessed what the issue was by now, if you have then good job! The issue is with how Apps in DMs didn't have a concept of permissions when introduced in very early testing. This also meant they didn't have a concept of relationships between users in a DM. This meant any App could be authed into any DM and then, you could manually execute a command:

POST https://discord.com/api/v9/interactions
{
  "type": 2,
  "application_id": "valid_apps_in_dms_client_id",
  "channel_id": "dm_channel_with_blocked_user",
  "session_id": "REDACTED",
  "data": {
    "version": "REDACTED",
    "id": "REDACTED",
    "name": "fish",
    "type": 1,
    "options": [],
    "application_command": {
      "id": "REDACTED",
      "application_id": "REDACTED",
      "version": "REDACTED",
      "default_member_permissions": null,
      "type": 1,
      "nsfw": false,
      "name": "fish",
      "description": "Catch some fish!",
      "dm_permission": true,
      "contexts": [
        0,
        1,
        2
      ]
    },
    "attachments": []
  },
  "nonce": "REDACTED"
}

What you'd expect here is an error, similar to what Discord normally returns when a user isn't your friend, has no valid mutuals, or has blocked you:

{"message": "Cannot send messages to this user", "code": 50007}

Instead, we get an empty 200 response and the command executes.

That's right, this vulnerability would allow a theoretical attacker to abuse Apps in DMs to send a Direct Message to Anyone on Discord. You did need a Discord account to do this, though. Considering the proliferation of scam botnets across Discord, this vulnerability is considered Severe.

Reporting the vulnerability

So, I've identified this issue, now I need to report it! Luckily Discord has a HackerOne program, meaning I can visit their site, report the vuln, then keep an eye on my HackerOne account for updates.

A screenshot of https://discord.com/security, showing a faux wooden sign with large text "BUG BOUNTY" and below small text "DISCORD & CO.". Behind the sign is a minimalist depicition of a dark forest.
Source: https://discord.com/security

Except it wasn't so simple in this one case - this vuln was potentially incredibly dangerous, a spammer/scammer/platform abuser could access and use this vuln en masse. In this case, the bug was directly Triaged and fixed within <24hrs of the bug being identifed. That's pretty speedy.

Turning bugs into money

With the vuln reported, the severity of the vuln was confirmed by Discord's security team and was promptly paid out. Discord pays $3,500 for critical vulnerabilities, so that's the story of the $3,500 bug in Discord's unreleased feature!

But I want bug money too!

Make sure to re-read the top of this article, security vulns are not your typical bug. You should have an understanding of the vulns Discord accepts, an idea of how CVSS calculators work and an intimate knowledge of the area you're testing for bugs. I know how Discord's API works very well, so I excel at finding API bugs. You might be better at finding clientside bugs (Things like XSS), or maybe even weirder things on Discord's site or gateway.

But please keep in mind, You should only try to find/report security vulnerabilities if you actually understand what you're doing. Discord's anti-abuse systems will not be able to identify your "good intent" and will absolutely terminate your account if security testing you're doing overlaps with things a malicious actor would do (which is commonly the case). And Discord will not even consider your report if it isn't a valid security concern, with each bad report knocking down your HackerOne rep.

This article looks different to before, what happened?

I got my facts wrong. I conflated the newly released User Apps feature with the earlier and abandoned Apps in DMs. It's misrepresentative to say the security issue was with User Apps, and thankfully someone more familiar with the development of the different features was able to correct this to me. This issue prompted the creation of Content Policies for the PNLY blog, to hopefully prevent this in future and provide a consistent path for resolution if we fail to do so.