シンプル - Discord Bot with role selection, moderation, karma ranking, a starboard, code execution, raid alerting, backups, a web interface, twitch notifications and more!
The Push Login code system could be used to phish logins of other users by convincing the victim to send a login code from your Browser session into the DMs of shinpuru with their Discord login. This would log in the attacker with the authentication of the victim user.
This can be circumvented by adding a message which must be accepted before getting logged in which warns that you should never enter any login codes sent by other users.
Steps to Reproduce
Attacker side
Open the login page
Copy the authentication code
Send the code to someone and convince them to send the code to shinpuru via DM
Victims side
Copy the sent login code
Enter it into the DMs of shinpuru
Now, the attacker is logged in as the user who entered the code.
Type
Authorization Bypass
Instances
Description
The Push Login code system could be used to phish logins of other users by convincing the victim to send a login code from your Browser session into the DMs of shinpuru with their Discord login. This would log in the attacker with the authentication of the victim user.
This can be circumvented by adding a message which must be accepted before getting logged in which warns that you should never enter any login codes sent by other users.
Steps to Reproduce
Attacker side
Victims side
Now, the attacker is logged in as the user who entered the code.
Attachments
No response