hxr404
commented
3 years ago And verifying the Phone does also change the token
Closed hxr404 closed 2 years ago
hxr404
commented
3 years ago And verifying the Phone does also change the token
hxr404
commented
2 years ago like I said in #13 I forgot closing this issue, I continued my "research" here: https://github.com/hxr404/Discord-Console-hacks#inner-workings-of-discord
mfa tokens are just JWT's with this syntax: "mfa." + HMAC
If somone enables 2FA on their account, the token changes. You can still log in with theses Tokens, like with normal ones.
Here is an example of my alt's Token: (replaced capital letters with A, numbers with 0 and small letter with a)
mfa.AAaAa0a0AaaAAaaaA0A_aAAAaAaAaAAaAAa000aa0AAaa0A-0A0aAAaa0aAAAAaa0aaaAaaAAA0aAa00aaaAand after changing the password:mfa.AaAaaAaAA0aaaAaaAAAaaaaaaaAAaaA0AaaaaaaAaAaAaAaAa0AaAA0aAA0-AaAaAaaAa00AAaA0AaAaaAAAThe 1st and the 2nd token doesn't have anything in common (except.
mfa.the length and the fact that they only use certain chars (upper/lower case letters, numbers,-or_) my alt had a verified email and no verified mobile idk if this changes somethingMaybe You can figure out how they are generated (could be a hash of a normal token? idk) Thanks
PS Everyone who reads this, dont try to bruteforce the tokens, I deleted the account