Securing Discords for Web3
  • 🛑Start Here
  • DISCORD COMPROMISED
    • ☎️HELP! I'VE BEEN HACKED!?
  • FUNDAMENTALS
    • 👑Owner & Admin Perms
    • ⚖️Role Hierarchy
    • 🤖Choosing Bots
    • ⚠️Threats (Summary)
    • 🔐Security Education
    • ✅Security Audit Checklist
  • POINTS OF ATTACK
    • 🚩Channels & Permissions
    • 🆘Threats (Detailed)
      • Rogue Staff Account
      • Webhook Attack
      • Admin Login Token Phishing
      • Staff Impersonation
      • Join Raids
      • Trade Scams
      • DM Spam & Scams
      • Advertising
      • Chat Spam
      • Abusive Chat
  • Templates
    • 🖥️Security Channel Page
Powered by GitBook
On this page
  1. POINTS OF ATTACK
  2. Threats (Detailed)

Webhook Attack

A webhook is created to send malicious links to scam users.

Threat Description

Webhooks are neither good nor bad, they are a useful technology that allows for embedding and making Discord messages look pretty. Improper usage and practices of webhooks is where the problem is and why they have gotten a bad reputation.

Attacks happen when:

  • Webhook permissions are enabled for users/bots that aren't responsible

  • A once trusted bot with Webhook permissions for seemingly innocent behavior such as merging Social media with Discord is compromised

  • The URL and/or JSONs of an existing webhook were shared, left in an easy to access/compromise place (within discord, within DMs, etc.

Webhook URL allows anyone with the URL to send a message to the Discord server, as long as the Webhook integration is enabled. These can be spammed, can ping @everyone and most dangerous of all, look very official if the Server and/or Administrator is managed poorly.

Prevention

No account, outside of the Administrator and designated bots should ever have webhook permissions. The bots that have webhook permission should be quarantined to a designated channel and monitored by Wick or other security bots for irregular behavior.

For the few times webhooks are created and used for read-only channels, under safe practices by a trained Administrator and NEVER in general/chat channels, NEVER to announce mints (as this mimics and trains users to bad practices and behavior). When a webhook is manually posted, permission should immediately be removed from the server. Wick should be trained to monitor for webhook posts outside of intended behavior.

Bots that have webhook permissions can have the webhook permission removed after they are setup. They don't need to create new webhooks. They don't need administrator. They don't need access to other channels, outside of their intended channel and they certainly don't need the ability to change the information of that channel to mimic anything else.

Do NOT share webhook URLs in Discord, not even private DMs. If a JSON must be shared, use a trusted encrypted chat outside of Discord.

Response to an Active Threat

Remove the webhook, remove the compromised offender. Go to Server Settings -> Integrations if there are any webhooks created here, View Webhooks and delete them. Audit Log will provide record of the source of the attack, remove that account.

Review each role to make sure Manage Webhooks, Manage Roles, Manage Channels, Manage Server and Administrator permissions are disabled. Review each channel to make sure Manage Webhooks, Manage Roles, Manage Channels, Manage Server and Administrator permissions are disabled.

Review Wick and ensure no channels and/or users have immunity to the security features, make sure the bot is positioned above staff/bots and quarantine is below wick while above staff/bots.

PreviousRogue Staff AccountNextAdmin Login Token Phishing

Last updated 2 years ago

🆘