Hi folks. This is Alp. I haven’t been here for a long time (again). I remembered that I have a Medium account. As you can see in the title, will show a bug with Discord in this post.

I ensure everyone knows the Discord but want to be sure everyone really knows.

Discord is an American VoIP and instant messaging social platform. Users have the ability to communicate with voice calls, video calls, text messaging, media, and files in private chats or as part of communities called “servers”.

The number of people who use Discord monthly has rapidly expanded from 10 million in 2017 to an estimated 196.2 million users this year. Discord is used by a lot of people (even the Ukraine military). We can include many official companies in this.

Discord offers this exclusive thing for the servers:

• Custom Invite Link

Thanks to the custom invite link, you can add any text you want to the end of the “discord.com/invite/<here>” prefix and invite people to your server with this vanity invite link. To use that you should boost 14 times your server.

I found a program as a target on HackerOne that is a private program and has built a community on Discord as well.

They have a custom invite link. We can call it “customlink”.

Then, I went to the scope page of the private program. There was a domain in the scope named “target.com”. And when I entered that domain there was an invitation to their Discord server in the footer section. The issue starts here.

I noticed they used their custom invite link in their footer.

So, I started to check the Discord invite link with automation. Because if any server member stops boosting the server, the server drops from 14 boosts because of this and the custom server link feature will become unusable. So, anyone can claim the custom invite url. To boost a server 14 times cost $ 69,86. You can earn more by losing $68 (they give $250 for low-severity reports 😛). Also, sometimes Discord makes deals with third-party companies and gives free nitro to the users. So, you shouldn’t spend $68.)

Then, I got a notification about the server invite is no longer valid. So this means the server boost level dropped from 14 boosts. I took over the invite link and immediately sent a report to the team.

I’ve submitted this issue in two programs so far. One of them closed the report as resolved without giving a bounty and fixed the issue (there’s no way to appeal the decision. I respected the decision because the program was not managed by HackerOne).

Usually, such a report should be awarded with a bounty. I know that not receiving this award is an exception. And I don’t mind.

And the other one is still in the pending state. In my opinion, this is definitely a serious issue and should be classified as a low/medium severity (depending on the program) issue. Because attackers can scam people and cause bad things by redirecting the Discord invite link from the website.

If you have a question regarding this or anything else to ask feel free to contact me via Twitter or the Medium comments.

Twitter: https://twitter.com/alp0x01

Thanks for reading, see ya!