Found the potential #discord tokenstealer people were talking about earlier today on here.
-
Found the potential #discord tokenstealer people were talking about earlier today on here.
It's in the script of minerva-archive [.] org and the "soon to be discontinued piracy site" that was referenced in that post is (to nobodies surprise) Myrient.
Also putting the discord login token into a "Bearer {token}" Authrisation header towards a non-discord server is extremely shady.
-
Found the potential #discord tokenstealer people were talking about earlier today on here.
It's in the script of minerva-archive [.] org and the "soon to be discontinued piracy site" that was referenced in that post is (to nobodies surprise) Myrient.
Also putting the discord login token into a "Bearer {token}" Authrisation header towards a non-discord server is extremely shady.
People in the Myrient discord are defending this as a "it does not have any permissions it's just there to ensure the acc exists"
I really do not know why anyone would want to aggregate data on the discord accounts of people that are doing illegal downloads from Myrient. And not just that also uploading that data to another project that wants to publish it…
Assuming the token permission part is true, that smells like a honneypot.
They get, discord account, IP, date-time as proof for lawsuits
-
People in the Myrient discord are defending this as a "it does not have any permissions it's just there to ensure the acc exists"
I really do not know why anyone would want to aggregate data on the discord accounts of people that are doing illegal downloads from Myrient. And not just that also uploading that data to another project that wants to publish it…
Assuming the token permission part is true, that smells like a honneypot.
They get, discord account, IP, date-time as proof for lawsuits
(I have not validated what permissions that discord token actually requests so far)
The script I analysed has the following sha256sum:
fcb7f854d0527c7615cb46fe5e0591db2106b0881f616ec9ad770f8474a20b52 minerva.py -
(I have not validated what permissions that discord token actually requests so far)
The script I analysed has the following sha256sum:
fcb7f854d0527c7615cb46fe5e0591db2106b0881f616ec9ad770f8474a20b52 minerva.pySo here is the discord Oauth part:
redirect_uri=hXXps://minerva-archive.org/auth/discord/callback&response_type=code&scope=identifyThe localhost redirect URL is apparently only stage 2. They're doing an OAuth against their server that does an OAuth against discord. So the Token they put into the Bearer header is in fact the one towards their server.
However that doesn't change the fact that they're clearly creating evidence for people publishing copyrighted material...
-
So here is the discord Oauth part:
redirect_uri=hXXps://minerva-archive.org/auth/discord/callback&response_type=code&scope=identifyThe localhost redirect URL is apparently only stage 2. They're doing an OAuth against their server that does an OAuth against discord. So the Token they put into the Bearer header is in fact the one towards their server.
However that doesn't change the fact that they're clearly creating evidence for people publishing copyrighted material...
So Tl;Dr: Smells like honeypot but not like a "discord token stealer" as that token has no permissions.
HOWEVER they could be asking for different kinds of permissions and only serve a handful of people OAuth links that request more as they're doing a 2-step process here.
The App does a generic Oauth against their server and their server does an OAuth against discord (and their server does the forwarding to the Discord OAuth url) so technically others could get requests for more permissions…
-
So Tl;Dr: Smells like honeypot but not like a "discord token stealer" as that token has no permissions.
HOWEVER they could be asking for different kinds of permissions and only serve a handful of people OAuth links that request more as they're doing a 2-step process here.
The App does a generic Oauth against their server and their server does an OAuth against discord (and their server does the forwarding to the Discord OAuth url) so technically others could get requests for more permissions…
Within the Myrient discord someone said that this "binding the act to your discord identity" could be part of their abuse protection to protect themselves from people uploading malicious files and such.
If it is, it fails at the only job it had as any malicious actor can just edit the python script to upload any file they want while keeping the discord part as is...
(Oh and same I said for the discord token in the former post is also true for their auto updater)
-
Within the Myrient discord someone said that this "binding the act to your discord identity" could be part of their abuse protection to protect themselves from people uploading malicious files and such.
If it is, it fails at the only job it had as any malicious actor can just edit the python script to upload any file they want while keeping the discord part as is...
(Oh and same I said for the discord token in the former post is also true for their auto updater)
-
R relay@relay.infosec.exchange shared this topic
