Hidden channels + descriptions leaking through API
There exists a BetterDiscord plugin called “return-ShowHiddenChannels” which allows users to read hidden Channel names + Descriptions.
This indicates a data leak in the API, as admins would not expect their private channel names and descriptions to be publicly visible. Channel descriptions can link to internal documents or invite URLs with tokens in them.
It is not clear to me how / through which endpoint this data is made accessible through the plugin, but it fundamentally demonstrates a data leak. Trying to hide sensitive data client-side is a bad practice.
This is not the first time this issue has been posted, but it's clear that the issue has not been resolved yet.
- “Just dont put sensitive stuff there". Sure, I removed the sensitive stuff when I read about this, but other discord admins will assume that private = private. Doesn't fix the issue.
- “This has been the case since a long time”. Doesn't fix the issue.
- “It's hard to design it differently”. Doesn't fix the issue.
- “People depend on this broken API”. Doesn't fix the issue.
-
This has been a thing since Discord's inception, this should be a well known thing by now
It isn't some random route leaking data, the route to list channels doesn't filter via permissions, likely because it doesn't make sense to performance wise, thus every client always knows about every channel that exists in a guild (besides threads, those are private)
Channel topics should not be used to store anything sensitive, put it in a pinned message or something
Changing this now would be a breaking api change, and considering this has been the same way for almost a decade, I don't see it changing any time soon
0 -
This indicates a data leak in the API, as admins would not expect their private channel names and descriptions to be publicly visible. Channel descriptions can link to internal documents or invite URLs with tokens in them branded earbuds.
0
Du måste logga in om du vill lämna en kommentar.
Kommentarer
2 kommentarer