Occasionally, when a person uses a Nitro Server Boost, the Nitro Booster role is generated with permissions different from the @everyone role, sometimes resulting in the role gaining administrator status.
Occurrence 1 (heard second-hand):
- A Nitro user boosted a server.
- Their name appeared in channels for which they previously did not have read permissions.
- Nitro Booster role was edited to remove those permissions.
As far as I can tell, they were the first to boost in that server.
Occurrence 2 (experienced first-hand):
- A user with an admin-style role boosted a server.
- I boosted the same server.
- I found out nearly 24 hours later that I had kick / ban privileges.
- I found that I had Server Settings available, so checked the Nitro Booster role.
- The Nitro Booster role had Administrator privileges checked.
- I informed the admins and they properly reset the permissions.
Note: The Nitro Booster permissions did not match the permissions of the role of the one who first boosted the server. When I viewed, the other user's role had Administrator, Kick, and Ban privileges all checked. Nitro Booster, however, had Aministrator checked, and Kick and Ban unchecked. (I didn't view all privileges, just enough to notice the distinction.)
This could be a pretty major security issue and should be addressed ASAP if possible.
Post is closed for comments.