Finding a security bug in Discord and what it taught me

Tristan Farkas
Nov 24, 2019 · 3 min read

On the 10th of November, I was looking through some of Discords documentation for OAuth because of a project I’m working on when something interesting caught my eye, the “Client Credentials Grant” system for quickly retrieving an OAuth token for testing purposes. Now I had never used this system before, but the gist of it is that you make a request to an API endpoint with a client id and client secret, and you receive the OAuth token for the application owner that can be used for quick testing thanks to it not requiring the user to go through the OAuth flow. And a thought popped into my head, what would happen if I used an application that was not owned by a single user but rather a Team, teams on Discord are groups of users that own application(s) that they together manage. So let’s see what happens when I make a client_credentials request for a team project

A python application being executed that returns us the access_token through the client_credentials api request
A python application being executed that returns us the access_token through the client_credentials api request
Would you look at that

So it seems we get an access_token we can use, let’s check and see if it works:

A JSON object containing a user object like structure with certain IDs redacted.
A JSON object containing a user object like structure with certain IDs redacted.
The user object we receive when making a request to the API using our team’s access_token.

So this is getting interesting, this shows that we’re able to make requests on behalf of our team and that a team just seems to be a managed User object. I tested a few different endpoints until I decided to see if I was able to join this managed user object to a server/guild. So let’s use the Add Guild Member endpoint to see if we can accomplish that. And the request went through successfully? At first, I didn’t believe the response I received, but when I went back and checked in the Discord client and,

An image of the team user in the server and offline.
An image of the team user in the server and offline.
A team user object in a server?

This user object was causing all kinda weird issues with my client,

Error in console saying: “fetchProfile error: 10013 — Unknown User”
Error in console saying: “fetchProfile error: 10013 — Unknown User”
Parts of the API thought this user existed, other parts didn’t agree with them.
A picture from the team “user” profile in the Discord client.
A picture from the team “user” profile in the Discord client.
Here it did exist!

At this point, I reached out to Discords Bug Bounty Program, and a few days later a Discord employee replied to my report and quickly addressed the issue. This was one of the better bug bounties I’ve taken part in, and I want to thank the amazing team over at Discord for handling this very professionally. I got the OK from their team yesterday evening that I was free to disclose this and so here we are. In the past when I’ve looked for vulnerabilities in software I’ve done so on purpose, in this case, it was just a random thought that put me on the track to find this security bug. And I believe that might be the most effective way to find bugs because you don’t end up wasting a bunch of time looking for issues that might not exist.

That’s all for me, thanks for taking your time to read through this, and if you’re interested in this kind of stuff, feel free to follow me over at Twitter: https://twitter.com/tristanatfarkas where I occasionally talk about this stuff!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade