Bing Bong Your Discord Bot Is Pwned

tossw1 pts0 comments

Bing Bong Your Discord Bot is Pwned

Jul 4, 2026<br>Bing Bong Your Discord Bot is Pwned

Discord is one of the top communication apps in the world. With over 190 million monthly active users in 2024, it has changed the game for text-based online communication. The main place people chat on Discord is in servers, which are free to create for anyone. I’ve found the platform to be great for gaming communication through the voice and text systems it provides for my friends and me.<br>Discord does not just focus on small communities, however; it has a focus on larger groups as well. These servers, sometimes with over 1 million users, usually specialize in one topic that server members are passionate about. This ranges from AI, for a server like Midjourney, to gaming, for a server like Marvel Rivals. Usually, in large servers like these, Discord’s built-in moderation tools don’t provide enough support to monitor millions of users even with large moderation teams. That’s where Discord bots come in.

command.reply(“Hello World”)

Discord bots allow bot owners to perform actions using the API directly. This gives bots the ability to do significantly more complex actions than users are allowed. These actions range from a game of ping pong to a moderation system with multiple levels of infractions. Overall, Discord bots significantly improve the experience for server owners and users of the platform.

Capitalism Strikes Again

While some Discord bots are only made for one or a subset of servers, there are many “commercial” Discord bots. These bots allow anyone to add them to their server and use the functionality that they provide. Almost all commercial bots also offer a paid plan which supports the cost of operating and managing the bot’s complex systems. Additionally, developers are able to subsidize free users with paid ones which creates a great system for everyone: server owners get a bot with many features, being able to pay to get more, and bot developers get capital to run the bot and continue development.

config.txt

Since commercial Discord bots are not run on server owners’ devices, they have to provide a way to configure the bot. Sometimes this is done with commands, but that can be annoying to set up (speaking from experience). So, to avoid that pain, bot developers usually set up a web portal for server owners to configure the bot from. That is the center of my “attack”.<br>The reason I chose to target these and not another feature of the bot was twofold:

I had been doing a lot of web hacking recently with open source software.

There have been vulnerabilities found in the past through the web portals.

So, I thought it would be a fun exercise to see if I could find a vulnerability myself. Very Important Note: DO NOT TEST WITHOUT PERMISSION! I got verification from all bots here that no action will be taken against me for this issue. See the Footnote for official policies. 1

./setup.sh2

I started with a popular Discord bot Dyno. I went through the web portal to see if I could find any area where user input was taken in and not sanitized. I mainly did this through the debugger tool in Firefox where I searched for the phrase innerHTML. I eventually found embeds were created using innerHTML since they used markdown to render the fields.

Start Your Engines

I had found issues with markdown parsing in apps before, so I tried some of those common attack methods to see if any of them would work here. None of them did, which I thought would be the end of it. It was not. I found that certain paths inside rendered markdown bypassed the HTML sanitization step. This was true for 6 paths, which I figured out were all mentions. The easiest ones to figure out were @here and @everyone, both of which would not be injectable since the content was static. For the other four methods, users, roles, emojis, and channels, I was unsure how they were rendered since the frontend code was minified.

Vibefailing

AI has had huge advances in cybersecurity over the past few months. But, at the time of finding, its scope was more limited. One thing I found it was good at before many of these advances was reading minified frontend code, explaining its function, and identifying any possible attack surface.<br>Obviously, AI companies don’t want everyone going around and doing this to every website they see, so they prevent that functionality by default for users. Most AI companies provide exceptions to this for good-faith security research, which I was able to apply for and receive from Anthropic because of other security issues I had found in the past.<br>I asked whether this system was vulnerable and it told me (I lost the chat :sad:) something along the lines of “This system grabs the data for all mentionable items from the Dyno API. This system is not vulnerable since the only editable data is being pulled from Discord where it is sanitized.”

Perseverance

As much as I would like to believe everything AI says (my life would be much easier), I...

discord bots users server from found

Related Articles