arable official discord channel takeover

[mikykatwal]

Bug Description When a web application has any pages, sources, links to external 3rd party services and are broken then the attacker can claim those endpoints to successfully conduct the attack and claim those endpoints on behalf of the target website and impersonate his identity

Severity: High

Impact The attacker can post malicious content on the discord channel and if the user clicks on that link it leads to theft of sensitive information like location, email etc and can lead to theft of the user's funds. Impersonation attack Loss in the reputation of the company It leads to many types of impersonation attack

I have posted the news that shows what can be the real impact https://www.vauld.com/insights/baycs-discord-server-hacked-again/ https://www.theblock.co/post/145432/opensea-discord-account-hacked-to-promote-scam-nft-pass https://fortune.com/2022/06/04/bored-ape-yacht-clubs-discord-server-was-hacked-with-360000-in-nfts-stolen-blame-debated/ https://www.coindesk.com/business/2022/06/04/yuga-labs-confirms-discord-server-hack-200-eth-worth-of-nfts-stolen/

Recommendation

please purchase the vanity URL so it will not be changed https://support.discord.com/hc/en-us/articles/115001542132-Custom-Invite-Link

References https://bugcrowd.com/disclosures/40a60d98-cc7d-40eb-9e5b-87632875f055/discord-link-expired-possible-vanity-address-could-be-used-to-link-a-malicious-discord-server

Proof of Concept

visit https://arable.finance/

click on discord

you will get invite invalid

open discord and click on your server setting

click on vanity URL

put this URL https://discord.gg/arable

The discord channel is full takeover

If you have any confusion feel free to ask me

I have removed my vanity url so you can claim it :)

[mikykatwal]

.