Discord’s Session Hijack Vulnerability and Verus Community’s Response
COPY FROM BELOW THIS LINE TO VERIFY SIGNATURE BELOW
One of the first and most important things to announce is that no funds on the Verus network or in Verus wallets were compromised due to this attack, as they were not subject to the vulnerabilities this hacker group exploited. We hope that the hackers were unable to fool anyone into giving up the funds from their Metamask or other Web wallets and that the criminals’ efforts resulted in a negative return.
This should be a cautionary tale for any communities using Discord, and we will detail what we experienced, in hopes that it might prevent another Discord community from experiencing the same or similar issues. The hackers used a Discord session hijack vulnerability that is currently in use across some notorious hacking groups along with social engineering to inflict significant damage on the Discord server where the Verus community spends much of its time when coordinating. These attacks had no effect on the Verus network, and although the hackers did get control of the Discord server, they did not need to get full control or credentials for any account to inflict their damage on the Discord server. We believe the attack could easily have been cut short immediately if Discord could improve their false positive account disablement as well as their response time to critical support requests.
What we have determined so far:
1. The group targeted me and worked to establish trust as journalists for weeks, always persistent, never pushy. After working with me on an article, where I contributed the following content (Verus Article from Hack).
2. After they said they had completed their article, they worked for 2 days on getting me to accept a content release form, even rewriting it after I refused to agree to their first version.
3. Once they rewrote it, I clicked a link from their Discord server, and although they weren’t able to get login credentials, they exploited a session hijack link, and immediately went to work.
4. After they had my account, which had setup the Discord server so many years ago, under their control, they kicked off all admins, installed their own admins, and did something that Discord would have to help explain that got Discord to instantly ban my account, the only one besides Discord that could have kicked them off.
5. Since then, they started announcing scam links, claiming fraudulent giveaways with Ethereum tokens backed by Verus on websites that if someone with a Metamask or similar wallet engages with, there is a risk of taking assets from them on Ethereum or possibly other networks, not Verus.
6. We still have not heard from or gotten help from Discord Support since this event began, except that they banned my account, and to our knowledge the scammers are still in the old Verus Discord server attempting to scam an ever dwindling group of members who haven’t left by now.
7. If you know anyone in the old Discord, please inform them to leave the Discord asap and not engage in any of the announcements, as they are made by impersonators, while people trying to warn are banned and the original admins are locked out of the server.
8. My old Discord ID is now disabled by Discord, and I no longer have access to our conversations. My new account is miketout.vrsc (this ID), which is not the owner of this Discord, and we have implemented a set of processes for all Discord admins to prevent any such event from occurring again.
Since the Verus Community is much more than a Discord Server, though we still haven’t found a more suitable engagement platform for the way the community works, a number of people have worked to create and secure a new community Discord Server, and we welcome all Verus Community members and well meaning interested people to join.
Though we are still hoping to have a conversation with Discord about the hack and how they could improve their security to prevent this for all of their user communities in the future, we have taken steps independently to harden the Verus Discord community in a way that would prevent such an attack in the future, even if the link click session hijack exploit is not resolved. We also have even better security thoughts for the future around leveraging VerusID in easy, meaningful ways. If you have experience writing Discord bots and especially secure servers, please get in touch. Until then, we hope you will rejoin or join the Verus Community’s Discord server and the worldwide, unlimited scale, fully decentralized blockchain protocol conversation.
Get an invite for the new Verus Discord Community Server: https://verus.io/discord
COPY UNTIL THE END OF THE LINE ABOVE THIS ONE
This article is signed by my ID, mike@ on the Verus network with the following signature:
AX8OKwABQSBhYU0ShQsu6LSRVay8IY7avMhoy3ub8jhznZnlhD5nGRE4h4U5MEWiPg+DXGJRSXd3bWou5TfNHn/zEPfbMA7d
(if you are using Safari or possibly another browser, you may need this signature, as the copy comes out a bit different):
AZAOKwABQSCaekvVN3CBbneot9AHby8S0+YCYevJDSfps3iaML8BF0j9PMdO/37JYxHbuDy/R11hWe9tCI5AInjppcQhQ3hD
You can verify my signature on any Verus node or lite mode API, by copying the article between the instructions above and entering the ID as mike@ and the signature above to check. You can also use this interface on the Verus website to verify:
