Hacker News new | ask | show | jobs
by jeffjeffbear 182 days ago
You have control over what displays on a page with a discord.com domain, you could manipulate the dom to have a login or something else and have it pass the data to your servers. A user would just see a link from discord.com
1 comments
bangaladore 182 days ago
Yeah, this one must be socially engineered-- but a (fake) login page when accessing a docs site would fool most people.

Thankfully the browser prevents sending the cookies cross origin or else this is just a single click exploit.

Edit: I gave too much credit to Discord here. They aren't protecting their tokens correctly.

link
rvnx 182 days ago
You can also just be logged-in on Discord web, so everything is accessible too
link