qbot & roblox bot account protection & private projects

LengoLabs / qbot

Qbot is an advanced, easy to setup, free, and unbranded Discord-Roblox ranking bot. If at any time during setting it up you need assistance, you can join the support server.

https://discord.gg/J47m7t4

MIT License

75 stars 137 forks source link

qbot & roblox bot account protection & private projects #38

Closed msami789 closed 4 years ago

msami789 commented 4 years ago

Yesterday someone hacked into my bot account for qbot to operate and raided my group. I need to know if I can set these precautions without the ranking system breaking:

Set Two Factor Authentication on the Roblox Bot Account
Set my repl.it to private project (I have pro or whatever it's called lol)

Thanks. 👍

yogurtsyum commented 4 years ago

Hello, What are you using to host your bot and have you ever sent your bot token or cookie anywhere?

Also, is “Public Bot” enabled in the settings of your Discord bot application?

yogurtsyum commented 4 years ago

Because this is nearly impossible unless the bot token or cookie (or password) was somehow publicized somewhere.

IeuanGol commented 4 years ago

Are you sure they had access via qBot?

This could been that the user has the Ranking Permission role.

If this isn't the case perhaps your credentials were exposed..

I recommend if you're going to pay for something I'd buy a VPS, Digital Ocean you can buy a single server for $5/month.

yogurtsyum commented 4 years ago

My guess is the issue is not with the credentials being exposed or someone having the role.

My guess is that they have it so “Public Bot” is enabled and anyone can invite the bot.

Although for added security and uptime, VPS’ are great choices.

msami789 commented 4 years ago

@yogurtsyum @IeuanGol I'm not saying this was done via hacking qbot, but I wanted to know mainly if I can set two factor authentication and the system will still be able to log in via cookie.

My guess is that they have it so “Public Bot” is enabled and anyone can invite the bot.

Ahah! You might be right, I forgot to turn off public invites. That must be how because there was no log of someone using the ranking bot nor was there log of the message that it ranked being deleted

IeuanGol commented 4 years ago

2FA shouldn't make a difference since it is done via cookie.

msami789 commented 4 years ago

And look what I found; Screen Shot 2020-09-06 at 11 31 27 AM Looks like someone found out the bot token.

Will change the token and turn off public

IeuanGol commented 4 years ago

Bots can only be added via a client ID which is publicly available information.

But yes definitely turn off public and leave that server.

yogurtsyum commented 4 years ago

You don't need the bot token to add it to a server, just the Client ID, which is pretty much public information.

Be sure to make sure the bot leaves that extra server it's in, as resetting the token by itself would not do that.