Bug Description
When a web application has any pages, sources, links to external 3rd party services and are broken then the attacker can claim those endpoints to successfully conduct the attack and claim those endpoints on behalf of the target website and impersonate his identity
Severity: High
Impact
The attacker can post malicious content on the discord channel and if the user clicks on that link it leads to theft of sensitive information like location, email etc and can lead to theft of the user's funds.
Impersonation attack
Loss in the reputation of the company
It leads to many types of impersonation attack
Bug Description When a web application has any pages, sources, links to external 3rd party services and are broken then the attacker can claim those endpoints to successfully conduct the attack and claim those endpoints on behalf of the target website and impersonate his identity
Severity: High
Impact The attacker can post malicious content on the discord channel and if the user clicks on that link it leads to theft of sensitive information like location, email etc and can lead to theft of the user's funds. Impersonation attack Loss in the reputation of the company It leads to many types of impersonation attack
I have posted the news that shows what can be the real impact https://www.vauld.com/insights/baycs-discord-server-hacked-again/ https://www.theblock.co/post/145432/opensea-discord-account-hacked-to-promote-scam-nft-pass https://fortune.com/2022/06/04/bored-ape-yacht-clubs-discord-server-was-hacked-with-360000-in-nfts-stolen-blame-debated/ https://www.coindesk.com/business/2022/06/04/yuga-labs-confirms-discord-server-hack-200-eth-worth-of-nfts-stolen/
Recommendation
please purchase the vanity URL so it will not be changed https://support.discord.com/hc/en-us/articles/115001542132-Custom-Invite-Link
References https://bugcrowd.com/disclosures/40a60d98-cc7d-40eb-9e5b-87632875f055/discord-link-expired-possible-vanity-address-could-be-used-to-link-a-malicious-discord-server
Proof of Concept
visit https://arable.finance/
click on discord
you will get invite invalid
open discord and click on your server setting
click on vanity URL
put this URL https://discord.gg/arable
The discord channel is full takeover
If you have any confusion feel free to ask me
I have removed my vanity url so you can claim it :)