(update.botghost.com)

139 points exists | 1 comments | 23 Jun 25 20:16 UTC | HN request time: 0.378s | source

Show context

nxrabl ◴[23 Jun 25 22:32 UTC] No.44360872[source]▶

> A recent security breach on our platform brought BotGhost to Discord’s attention.

The breach in question is documented here: https://youtube.com/watch?v=lUiLBBab1RY

I don’t think there’s a text write-up, but tl;dw a combination of missing input sanitization and no-code UI trickery made it possible to leak other users’ bot tokens, and despite patching the exploit pretty quickly on exposure, BotGhost’s developer tried to cover it up and refused to reset potentially affected tokens.

replies(3): >>44360911 #>>44364446 #>>44367952 #

1. rozab ◴[23 Jun 25 22:37 UTC] No.44360911[source]▶

>>44360872 #

Seems like this is it. They should have got Discord to revoke all the potentially affected tokens. Instead, they tried to hide it and Discord forced their hand.

I really dislike the way they try and play this down in the doc:

https://update.botghost.com/#-summary-of-the-breaches-

↑

Discord Is Threatening to Shutdown BotGhost