On the feasibility of malicious Discord bots

By Chris DeMarco

Discord is a free online service that enables easy communication. For many years it has been used and advertised as another way to keep in touch with friends. It has become very popular for its convenient and well-designed ability to choose which group of people you want to share something with.

Since the start of efforts to quarantine most activities that were previously held in person have been held remotely instead. This ranges from school and recreational events to and most work. This has led to the increased usage of software such as Zoom and Google Meets. In the case of Zoom, there were many security issues that were made public in response to this increased popularity.

Discord experienced a similar growth during COVID. In just one year the number of active users has doubled. Without being able to meet in person, many people are looking for new ways to socialize that are more personal than social media.

However, more importantly, I have noticed the increase in use of Discord in more professional settings. In the past year I have been required to use Discord for several of my classes. The need increased for remote communication makes Discord an obvious choice. Instead of meeting in person and sending notifications over myCourses and email, communication has been conveniently centralized to a single application. In the classes that have opted for this class updates for exams and assignments, group project discussion, and questions for TAs and professors are all completed in Discord. I have also recently heard of Discord being used for workplace discussion.

In the past I had instead used the application Slack for professional discussion such as communication required for class and work. However, in my personal experience Discord has recently become the preferred application. I believe that this is because it is something people are already familiar with and using, while also having a better interface and more features. However, some of these features introduce security risks.

Just last week was research published by Cisco that indicated that the usage of Discord as a tool for cybercriminals has increased drastically since the COVID pandemic started. There have been many instances of authentication tokens being stolen and used for impersonation. Also, Discord allows you to upload files to share with your peers, and then link these files within and outside of Discord. These links will include the Discord domain despite containing files from elsewhere. The webhooks feature of Discord allows attackers to use the application for command-and-control. One Cisco team lead recommends blocking Discord links entirely.

One feature that I have noticed may introduce many security risks is bots. In the context of Discord, bots are essentially third party add-ons. Popular examples include bots that play music or fetch data.

For the purpose of this blog post, I created my own Discord bot to learn more about the capabilities and vulnerabilities of this feature.

The first thing I noticed was how creating a bot (with no function) required nothing but an email verification. It seems that literally anyone can create and publish a bot for public use.

Below is a short segment of code that creates a functioning bot. Although its function is simple, it is concerning how easy it is to make your own. By using APIs and cloud computing services such as AWS and Azure, anyone could create one of these bots.

These two things stood out to me as concerning because some bots may have malicious developers while others may have developers who are not experienced enough to properly secure their them.

By using a publicly available API, “discord.py”, I was able to easily read messages that were not intended to be read by me. Below you can find the messages sent in Discord, and the resulting output that I received despite not being one of the people intended to see these messages.

Another concern I have is that these bots are not accessible from the Discord application. If you are looking for new bots to use, you need to visit various untrustworthy third-party sites. For example, the site below clearly does not belong to Discord, however, is a popular place to choose bots from. It is doubtful that this site properly checks for malicious bots. You also have to wonder what the motivation is for running the site itself.

At this point I knew that there was a risk to this feature, so I did some research. One interesting example of malicious activity involving a discord bot involved the installation of a crypto miner onto the machines of the bots userbase. The owner of the bot claims that this was an attack on the bot, and the bot itself is harmless. Since this event, the bot has been taken down and supposedly properly secured. However, it illustrates the malicious potential of this feature.

After this research, my main concern with the bots feature of Discord is how easy and accessible it is to create bots, while the users of these bots are expected to blindly trust them.

I know that many people are not concerned with whatever happens to data involving their casual conversation, but you should be cautious with what kinds of discussion you use over this application. If you do decide to use this application and the bots feature, it may be in your best interest to use bots that are open source and limit their permissions to what is required for their function.

https://sysdig.com/blog/rinbot-discord-bot-crypto-miner/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s