Improving the security of the forums

[alice]

Several users on here have a tendency to provide "free" services, services that seem to be legitimate and reliable, but actually expose users to severe security/privacy risks that they are most likely not aware of.

For example, Tommy W provides two services:

• A free Discord Nitro Claimer service
  
• A free ShareX server

So the user is offering a free Nitro autoclaimer service. To participate, you have to hand over your Discord token for him to set it up on his end, which he then will run for days, wasting server resources (on top of the time to set the script up) ... just out of the goodness of his heart -- absolutely no strings attached, just so that you might end up getting Nitro for free.

Why would he bother doing this if he has nothing to gain? Well, what most children don't understand on here is that with someone's Discord token, you gain full access to their account. So you can scrape all of their chatlogs, billing information, guilds they're in, friends list, etc., within a matter of mere minutes, and they'd never know. There is no way to know. And if they were to ask someone like Tommy W the dangers of giving out their token to a person like him, he'd most likely say "It's okay, I won't do anything!" as he has on his thread. He does not make the risks aware to them, but rather tries to tell them that it's okay and safe.

If he truly wanted to help people just out of the goodness of his heart, why wouldn't he just release the script to the public? After all, such a script is no more than 5-10 lines of code. It is a menial project and shouldn't take more than 15 minutes to code. But he wants to provide the service for some reason and host it on his server. This is a red flag.

Likewise, for his ShareX server, most people who use it more than likely don't understand that he is able to view all of their private images that they upload to his server. And honestly, why else would he provide these free services? Based on this user's personality (being interested in malware, and knowing about stuff that only those who scrape private images off of websites would know) and other stuff taken into account like the fact that he's 15, and his dodgy behavior and spreading of misinformation (like that a "token expires after 7 days" which is nonsense) are all red flags that he only provides these free services because he wants to look at users' private data/chatlogs/images.

Unfortunately, a lot of this is conjecture on my end because there is no way to prove any of this, even as confident as I am that these are his true intentions. For all we know, he is [essentially] spreading malware throughout the forums with his free services and there's no way to prove it.

This is why we need rules and warnings in place, rules that explicitly make it clear that:

• You should be careful when handing out your Discord token (in particular, to selfbot developers) because they can export your chatlogs and view your billing information. It's not just an "isolated script that uses the bot API with limited access"
• You should be careful when using someone's private ShareX server and image hosting website. It's not just a "screenshot ShareX server with a cool-sounding domain".
• You should be careful when using private e-mail servers.
• You should be careful when posting your e-mail address in threads like this that are a gold mine for account hijackers. Check your e-mail address on https://haveibeenpwned.com/ before posting it.

 

[Geek]

I think this just comes down to the user being cautious. Having more rules requires more moderation, and there's already stress about the moderation, or rather lack thereof. No matter the rules in place, it should always come down to the user being cautious and doing their research and do diligence before entering sensitive information.

I don't think it's your place to call a user out based on his posts though. Just my 2 sense. Just because someone is interested in malware and has the common knowledge that the files being served can have the same name, but will provide different files based on the URL is rather insensitive in my opinion. That's really just common sense, that any with any experience with the Internet should know.

 

[Cade]

I don't know if it has anything to do with it but I was given a vouch copy for someone's "nitro claimer" (Not Tommy W.) and the next day my processor broke. I only ran the program for less than a minute, used an alt discord.

Back to the thread, I agree with this.

 

[alice]

I think this just comes down to the user being cautious. Having more rules requires more moderation, and there's already stress about the moderation, or rather lack thereof. No matter the rules in place, it should always come down to the user being cautious and doing their research and do diligence before entering sensitive information.

I don't think it's your place to call a user out based on his posts though. Just my 2 sense. Just because someone is interested in malware and has the common knowledge that the files being served can have the same name, but will provide different files based on the URL is rather insensitive in my opinion. That's really just common sense, that any with any experience with the Internet should know.

We don't necessarily need to enforce more rules; we just need to warn users more about the dangers in some way -- perhaps a pinned thread in some sections.

Users can't be "cautious" if they aren't aware of the dangers. They don't know whether their Discord token is "sensitive information" or not. A lot of selfbot developers on here play off someone's token as something only required to call certain functions on an account from an isolated bot API with limited functions in an environment they don't really look at -- they make it sound safe. They intentionally deceive and spread misinformation. Many "bot developers" on here are just kids too. Why wouldn't they export someone's chatlogs if it's so easy to do? How can we trust them not to?

And perhaps you're right that it's not my place to make an example out of someone publicly, but what other remedy is there? I feel like he brought that up on himself. Rather than just saying, "I agree, there are risks involved with sharing your token. You don't have to use my service if you don't trust me." he tries to vehemently defend how safe it is, even posts his ShareX server on his profile, even -repped me for warning users about the dangers of sharing your token a couple of months ago on his thread.

I don't know if it has anything to do with it but I was given a vouch copy for someone's "nitro claimer" (Not Tommy W.) and the next day my processor broke. I only ran the program for less than a minute, used an alt discord.
Back to the thread, I agree with this.

Extremely doubtful that it was related to a Nitro Claimer script. I'd recommend changing your password though to change your token.

 

[Geek]

They don't know whether their Discord token is "sensitive information" or not.

While this says "Pasting", I'd consider it common knowledge that copying would also not be the smartest thing.

perhaps a pinned thread in some sections.

Almost any section can be used to "spread malware", whether it be plugins, discord bots, configurations, etc.

Why wouldn't they export someone's chatlogs if it's so easy to do? How can we trust them not to?

Not only would this be an insane amount of data to store, transmit and surf through, it would be stupid. The majority of users are in over 10 discord servers, with at least 10 separate text channels, with numerous private conversations with friends. The data would prove inefficient as the most "scandalous" information you'd get is inside jokes between friends. It's not our place to answer the questions of peoples quirks.

even -repped me for warning users about the dangers of sharing your token a couple of months ago on his thread.

Honestly, I would've done the same thing. I'd consider the replies as thread trashing as you're effectively preventing "business" (used loosely). While your concerns are valid and sincere, it's really not your place, or anyone's place for that matter, to shove information and concerns into people's faces.

No matter where you go on the Internet, you have the chance of risking exposure to any malware or malicious software. Through accessing websites, your ip is exposed and can be used to trace information down. Any time you log into a website, your information is exposed. Usernames, Passwords, IPs, Location, etc. Anytime you access the Internet, you're putting yourself at risk, but if you have the common knowledge to just have some basic internet security, there's really nothing to worry about. All in all, it's up to the user to protect themselves. Notices and pinned threads are really not going to prove useful because notices are just ignored and pinned threads are just ways for people to advertise their services. The only place where a pinned thread would be even slightly noticeable would be in the General Discussion subforum, or a bullet point in the next announcement thread. Regardless, the MCM Terms of Service clearly states that the service is "as-is" and we use the service at our own risk.

CONTENT RESTRICTIONS
You may not upload, post, or transmit (collectively, "submit") any text, images, videos, sounds, or other works (collectively, "content") that: (i) Infringes any third party's copyrights or other rights (e.g., trademark, privacy rights, etc.); (ii) Contains sexually explicit content or pornography; (iii) Contains hateful, defamatory, or discriminatory content or incites hatred against any individual or group; (iv) Exploits minors; (v) Depicts unlawful acts or extreme violence; (vi) Depicts animal cruelty or extreme violence towards animals; (vii) Promotes fraudulent or dubious business schemes; or (viii) Violates any law.

DISCLAIMERS
MCM has no obligation to screen or monitor any content and does not guarantee that any content available on the Service complies with the TOS or is suitable for all users.


MCM provides the Service on an "as is" basis. You therefore use the Service at your own risk. MCM expressly disclaims any and all warranties of any kind, whether express or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, non-infringement, and any other warranty that might arise under any law. Without limiting the foregoing, MCM make no representations or warranties: (i) Concerning any content submitted by any user; (ii) Concerning any third party's use of content that you submit to the Service; (iii) That any content you submit to the Service will be made available on the Service or will be stored by MCM; (iv) That the Service will be permitted in your jurisdiction; (v) That the Service will be uninterrupted or error-free; (vi) That the Service will meet your business or professional needs; (vii) That MCM will continue to support any particular feature of the Service; or (viii) Concerning sites and resources outside of the Service, even if linked to from or within the Service.


To the extent any disclaimer or limitation of liability does not apply, all applicable express, implied, and statutory warranties will be limited in duration to a period of ninety (90) days after the date on which you first used the Service, and no warranties shall apply after such period.

Just be smart, and you'll be fine.

 

[Cade]

Extremely doubtful that it was related to a Nitro Claimer script. I'd recommend changing your password though to change your token.

I didn't think it was. Just was odd.

 

[Zyger]

Yeah, I reckon there should be a pinned thread explaining these scenarios, which could be updated whenever something new comes up.

 

[alice]

While this says "Pasting", I'd consider it common knowledge that copying would also not be the smartest thing.

Almost any section can be used to "spread malware", whether it be plugins, discord bots, configurations, etc.

Your image is irrelevant because no one opens the console when looking for their token. They open the Network tab which makes no mentions of the dangers of sharing your token.

Furthermore, most Discord bots and configurations (not sure how you'd be able to infect someone with a configuration?) are open source and that wouldn't be as easy or as convenient of an attack vector as say, simply asking someone for their Discord token which any kid or "selfbot developer" on here could do. And then just simply input that token into a chat exporter and done. No worry of AV detection, no backend C2 server to connect to, no worries of being audited, no trail left.

Java plugins, on the other, assuming they aren't open source, are also easy to decompile and have likely at one point in time been audited by someone. It's also unlikely that any malware author would bother selling a Java plugin with malware in it, especially if they are selling it for revenue. It's simply not comparable to a kid like this asking for people's tokens to provide a free Nitro claimer service for whatever reason (the reason is obvious if your head isn't far up your ass).

Not only would this be an insane amount of data to store, transmit and surf through, it would be stupid.

An insane amount of data to store and surf through? What the hell? 10 MB of text files is an "insane amount of data"? A text file that you can just open and read through or CTRL+F for relevant parts? Or use a simple regex query to extract all passwords and sensitive information?

The majority of users are in over 10 discord servers, with at least 10 separate text channels, with numerous private conversations with friends.

Who said they would have to export everything? You can export just DM chats easily.

The data would prove inefficient as the most "scandalous" information you'd get is inside jokes between friends. It's not our place to answer the questions of peoples quirks.

Oh so you've never sold or bought an account through Discord? You've never said something personal to someone you don't want shared? You've never sent, or heard of anyone sending, nudes to other people through Discord? You've never bought Nitro with your billing information?

People also have a habit of sending all of their information and passwords to their alt account's DM as a convenient way of storing information.

How is any of the above information "inefficient"?

Honestly, I would've done the same thing. I'd consider the replies as thread trashing as you're effectively preventing "business" (used loosely).

What """Business""" is he running by asking for people's tokens to provide a free Nitro autoclaimer service?

How is warning someone of the potential dangers "trashing"?

While your concerns are valid and sincere, it's really not your place, or anyone's place for that matter, to shove information and concerns into people's faces.

Oh, so increasing awareness in the community and telling the community that some 15 year old kid might be reading all of their private chats is a bad thing apparently.

No matter where you go on the Internet, you have the chance of risking exposure to any malware or malicious software. Through accessing websites, your ip is exposed and can be used to trace information down. Any time you log into a website, your information is exposed. Usernames, Passwords, IPs, Location, etc. Anytime you access the Internet, you're putting yourself at risk

You are reaching. No clue what your point is or how it is relevant to the topic.

Notices and pinned threads are really not going to prove useful because notices are just ignored and pinned threads are just ways for people to advertise their services.

Notifications and pinned threads get ignored and don't get noticed? Source? What research have you done on this topic?

 

[Mick]

Notifications and pinned threads get ignored and don't get noticed? Source? What research have you done on this topic?

In my experience, Geek is correct with this. We moved away from making pinned threads to give important information and instead do notices for it. People simply don't bother to read the important information pinned threads we post unless they're already active enough to know the info on them.

The more notices that we add, the less effective they become though since people will just assume that the information on them isn't relevant to them if it's not most of the time. That particular thread you showed is the only instance I've ever seen of this particular thing happening and nobody has offered this service since that I know of. As long as that user is explaining the risks involved in handing over their token and the chances that it'll get them banned from Discord then I don't have too much of a problem with it. I see no need to add a notice about something that's a non-issue 99.99999% of the time.

Denied, thanks for the suggestion