←back to thread

Discord Is Threatening to Shutdown BotGhost

(update.botghost.com)
139 points exists | 7 comments | 23 Jun 25 20:16 UTC | HN request time: 1.247s | source | bottom
1. nxrabl ◴[23 Jun 25 22:32 UTC] No.44360872[source]
> A recent security breach on our platform brought BotGhost to Discord’s attention.

The breach in question is documented here: https://youtube.com/watch?v=lUiLBBab1RY

I don’t think there’s a text write-up, but tl;dw a combination of missing input sanitization and no-code UI trickery made it possible to leak other users’ bot tokens, and despite patching the exploit pretty quickly on exposure, BotGhost’s developer tried to cover it up and refused to reset potentially affected tokens.

replies(3): >>44360911 #>>44364446 #>>44367952 #
2. rozab ◴[23 Jun 25 22:37 UTC] No.44360911[source]
Seems like this is it. They should have got Discord to revoke all the potentially affected tokens. Instead, they tried to hide it and Discord forced their hand.

I really dislike the way they try and play this down in the doc:

https://update.botghost.com/#-summary-of-the-breaches-

3. operator-name ◴[24 Jun 25 09:54 UTC] No.44364446[source]
The video is linked in the article, amongst the response, timeline and further fixed exploits.

But it is correct that the article does not reiterate the technical details of the exploit.

4. x0x0 ◴[24 Jun 25 16:30 UTC] No.44367952[source]
Maybe uncharitable, but it seems like BotGhost comprehensively doesn't take security seriously. Not only were there bad vulnerabilities, but they didn't have the logging (or didn't use it) to see who was affected; didn't want to roll keys; didn't want to announce; and didn't even have their own bots use their own security features. So yeah. I'm a bit more sympathetic if Discord decided that BotGhost in particular wasn't going to be using Discord's platform any more. Because I'd guess the probability these are the last of BotGhost's serious vulnerabilities to be about 0%.

So now botghost is doing a pentest. But I dunno... my guess at the likelihood of doing a good job backfilling security into a codebase that wasn't built with that as a core concern is also low.

replies(1): >>44369028 #
5. immibis ◴[24 Jun 25 18:11 UTC] No.44369028[source]
That logging you want (every command and response) would have been a huge GDPR violation.

I suppose they could have logged only if a bot token was detected in output. But if you'd think to do that, then why not also just block the output?

replies(1): >>44372232 #
6. x0x0 ◴[24 Jun 25 23:38 UTC] No.44372232{3}[source]
You do not understand GDPR at all. Both performance of contract and legitimate interests cover security issues and associated logging.
replies(1): >>44385417 #
7. immibis ◴[26 Jun 25 08:37 UTC] No.44385417{4}[source]
Logging all user inputs and outputs forever "because what if there's a bug" (and you don't know what the bug will be) will not fly with any judge.