Sign Up
Seen recentlyDiscord's security issues frequently occur. This article uses Discord's security as the topic to share with you the security issues on Discord.
In factDiscord's security issues have been criticized for a long time, but this cannot be entirely blamed, because Discord is too open. Just like the original Android, any APP can get almost all the permissions of the system. Therefore, any APP has security risks, and the entire system will have security risks. Speaking of the three roles of Discord (ordinary user, operator, developer), failure to pay attention to security will also lead to security issues.
It’s no small matter to be safe, I hope this article can help readers of the above three characters.
For ordinary usersThe main reason why users on Discord suffer is that there is too much information on phishing websites on Discord, so for ordinary users, in order to avoid being phished, the following points should be paid attention to:
Close private message
If this option is turned on,Discord members can directly initiate private chats to you, and the avatars and accounts of these members may be exactly the same as the administrators you see in Discord. At this time, you may relax your vigilance and trust this account easily, so when they send a link to you, you may be successfully phished.
In addition, friends need to pay attention to requests. I've beenI asked a question in OpenSea's Discord, and the result was that the avatar and account are exactly the same as the Discord administrator to request to add friends. Just ignore this situation directly.
Do not click on any unknown links
This screenshot isThe news in OpenSea's official Discord is that OpenSea will cooperate with YouTube to issue NFTs, with only 100 free places. When a novice user sees this message, he may immediately FOMO. After clicking on the link in the screenshot, the website he saw probably looks like this.
It’s fine to see the domain name and website. When you think there are only 100 places, you might as well click Claim to grab Mint, but after executing the transaction, your NFT will be lost.
Therefore, you must be vigilant when you see this kind of news. Generally speaking, each project party issues it.If you want to publish NFT, you will release messages in advance. This kind of news that suddenly tells you to publish NFT is generally fake.
How to judge a phishing website
Sometimes inWhen you see the link sent by whoever you send (maybe a link sent by group members, administrators, or robots), you need to see if the domain name you visit is the official domain name of the project before clicking. If not, you need to be very vigilant after clicking:
If the site callsMetaMask pop-up window just requires you to view your wallet address, which is safe, such as the following picture:
This operation is just to authorize the website to view your wallet address and will not have any other operations on your assets.
When you continue browsing on this website and need to perform wallet-related operations, you need to pay special attention. Generally, websites call youMetaMask has several operation types:
transfer
When transferring moneyMetaMask pop-up window
If the website wakes up the transfer request on the screenshot, you need to pay attention to whether the destination address of the transfer is the address you want to transfer out, and whether the amount of the transfer is correct.
It is relatively simple for transfers, just determine the collection address and amount.
sign
Generally, the purpose of obtaining a signature is to prove that you have the wallet address, e.g.There is a robot called Collabland in Discord. It uses signature to verify that you have the wallet address and that the wallet address has the NFT. After the verification is passed, you will be given a Holder identity authentication.
If the signature content you see is readable in such plain text, there is no problem. You can understand what this passage means. But paying attention to random signatures will also lead to asset losses.
But if you see the signature content like the screenshot above and don’t understand what it is, don’t operate it. Because the signature content of the pop-up window above is OpenSea's sell order signature, but the price of the sell order may be set to 0.001E by the attacker. If you accidentally sign this on a phishing website, your NFT may be sold to the phisher at a low price.
Therefore, there is a general principle for signing messages: sign if you can understand them, and don’t sign if you can’t.
Contract call
More situations are encountered on many websites, such asmint NFT and other operations.
If it is a contract call, the first thing you need to determine is whether the "contract address" is the officially announced contract address. After confirming that the contract address is no problem, then look at the "function type" of the contract. If the "call function" type shows words like approve, setApprovalForAll, transfer, safeTransferFrom, etc., you need to be vigilant, because this is an authorization to allow others to transfer your assets, which is also the most common way of phishing.
Therefore, the overall principle for contract calls is: confirm that the contract address is correct and confirm that the operation type is notApprove, setApprovalForAll, transfer, safeTransferFrom and other words.
For operators
For most scenarios, ordinary users can avoid pitfalls, but asDiscord operators need to protect the safety of community members more responsibly than ordinary users to avoid losses caused by operators’ negligence in safety. For Discord operators, there are also the following points to pay attention to:
Open2FA
Not enabled2FA, once the account password is leaked, the attacker can use the administrator's account to publish phishing information.
Don't click on unfamiliar links
Currently found to be targetedDiscord administrators phish the website. After the administrator enters the website and is guided, the attacker will get the administrator's Discord session. The attacker can use the session to bypass 2FA and login verification and directly take over the Discord community as an administrator. The following tweets have detailed analysis, and interested friends can take a look.
Try to introduce as little as possibleBot
Add one for the communityBot will bring more security risks. Any bot that is exploited by an attacker can launch a SCAM attack on the community's Discord.
The Crepto community has only introduced an external Bot, CollabLand, to verify the identity of the holder, which is already standard for Discord. If other bots are not required, the Crepto community will no longer be introduced.
IntroducedBot permissions are too large
When introducing Bots, Discord administrators need to pay attention to the server permissions requested by Bots and adhere to the principle of minimum authorization. If you find a Bot with simple functions requires administrator permissions, it is best not to introduce them. Because if the project party of this bot is attacked, at the least it just sends spam messages to your Discord community, and at the worst it can eliminate all users and delete all channels and records.
The above is introducedCollabLand Bot requires the highest authority to obtain the server. CollabLand Bot requires the authorization of the "administrator". The function of CollabLand Bot is to grant a certain role to the certified holder. In fact, CollabLand Bot only needs to obtain permissions to manage Member and Role, but I don’t know why the highest permission is required? I also hope that friends who know it will let you know.
So forFor Discord managers, the security of Discord mainly lies in:
Security of manager account
Bot's safety
The security of the manager's account can be ensured by the team to improve security awareness, butThe security of bots is powerless for managers, so managers can only handle it by adhering to the principle of using less bots and giving less authorization.
For developersBot's token must be safe
Discord developers all know that the lifeline of Bot is controlled by the token. After the token is obtained by the attacker, the attacker can use your Bot to do whatever he wants, so he must pay attention to Bot's token as much as paying attention to the security of the private key of the wallet.
runBot's server security
The topic of server security can be unlimited, but here is a reminder.The security of Bot Token is very important. Bot runs on the server, so the breakdown of the server means that the token has also leaked, and of course, all the data on Discord obtained by Bot has also been leaked.
Replace regularlyToken's habits
Just like some websites regularly require users to change their passwords, althoughDiscord does not mandate developers to change the tokens of Bot regularly, but I think it is essential to develop regular tokens, especially when your Bot users are large.
Bot request permissions on demand
Don't ask for it without any brainsThe "administrator" permissions of the Discord server, confirm what functions your bot needs to use, and then ask for the corresponding permissions. In this way, even if your bot is hacked, the damage will be controlled within a certain range.
The overall principle for developers is to ensureBot Token security and minimum request for your Bot permissions.
数҈字҈星҈球҈͏
