Closed hxr404 closed 3 years ago
What I couldn't test:
what different accounts have as unique 3 letters and considering all parameters of those accounts (age, verified stage, id, etc.)
How verifing E-Mail / Phone number affects the token
How changing E-Mail / Phone number affects the token
I created a PR #14 where I updated the Readme
after checking, trying to confirm what you said is true - most of what you said are true - except the middle part. On my alt account, the middle part is YA8VSQ
.
Anyways, do you think the last part is some kind of hash of username + password? Because every time when you change your password the token changes too.
Also, for accounts that have 2 factor verification on, will always have a token starts with mfa.
@TKperson I explained it bad, the middle part is always the same for your account only (for each Token you generate) but not for others. For User Accounts its the first 3 chars and for Bot account all 6. Now we can think about what changes for user accounts but not for Bot accounts, and than we'll maybe know what they represent. But at the moment idk what this could be
I think the last part is some Kind of RNG Value, bc if you set the password exactly the same, it changes anyways. If you verify your Email/Phone it also changes. I think its just a RNG function that gets triggered by one of those actions. (Its the real "password" bc the first part can easily be calculated, and I think the 2nd part also isn't random and just represents smth.=
For 2 factor verification there is another issue, #12
the token syntax is as follows:
mfa tokens are far more difficult to generate as they do not follow this syntax, so i'd enable 2fa on personal accounts
oh yeah I forgot about this issue here I continued my "token research" here: https://github.com/hxr404/Discord-Console-hacks#inner-workings-of-discord
This image explains it pretty good (credit to Flam3rboy) tokens are JWT
I generated some tokens by changing the passwords and Discorverd something interesting:
base64userid.YAwfew.randomstuff
base64userid.YAwgGA.randomstuff
base64userid.YAwgSA.randomstuff
base64userid.YAwgew.randomstuff
base64userid.YAwgtQ.randomstuff
base64userid.YAwg6w.randomstuff
base64userid.YAwhCA.randomstuff
The first 3 letters (of the middle block) are always the same and the letters after it are kinda similar
When doing this with Bot tokens this 6 letters are completly the same! seems like the first 3 letters represent some account info that doesn't change and the other 3 letters only change at user accounts
So this is my idea of Token Syntax:
-
or_
); not random-
or_
) that are userspecific for bots; not random-
or_
)and for user accounts with mfa enabled #12