Discord add security params/signature (http call signing/algorithms)

[xtekky]

Hello, since its beginning, discord has been the target of a lot of exploits and botting software.

Having improved its security with custom captcha and hcaptcha bot detection, discords API calls still remain unprotected and easily compromised.
Most apps/sites use signing of HTTP requests to fight more efficiently against botting/exploiting API's and networks, such a security measure is also quite easy to implement.

This is just a suggestion and would outdate/block 100% of today's illegal programs out there using discord API's.

Of course there is still api's that need to remain accessible to discord bots, this security measure / signing of HTTP calls should only affect sensible endpoints like dm (personal accounts) or register/login, etc...

Most platforms (TikTok, etc..) already use HTTP signing and are therefore are less much less exploited than discord, why was this feature not implemented before ?

sincerely Tekky.

[SyntaxSparkk]

their devs are so bad lol.. shouldve been added since the start

[advaith1]

what are you talking about? if the official Discord clients can do a request then anything can technically do the request.

additionally,

Most platforms (TikTok, etc..) already use HTTP signing and are therefore are less much less exploited than discord

according to your pinned repos, this is not really helping tiktok

[xtekky]

yh thats why discord had to revoke all promos on the last collab with https://www.toweroffantasy-global.com because it got clearly spammed to hell, and people could gen them almost out of "thin air"

[xtekky]

without mentionning the million codes made with https://medal.tv

[PlavorSeol]

yh thats why discord had to revoke all promos on the last collab with https://www.toweroffantasy-global.com/ because it got clearly spammed to hell

{{Citation needed}}

people could gen them almost out of "thin air"

One cannot simply get free Nitro or Server Boosts just by calling/spamming some API endpoints. If they really can, {{CN}} as well. If you meant something different or more specific, please clarify to make it clear.

[xtekky]

I mean u can just sniff http calls and simply replicate the process not even having to reverse engineer anything or look at the src. Scripts on GitHub show how simple it is. This is the main issue I am talking about.

[xtekky]

And I see that u are disagreeing with my statements, I know what I am talking about, just look up "discord promo gen" and you'll find a scary lot working ones. If you ever looked on how to gen promo codes, you would understand that I am talking facts here.

[devsnek]

Assuming you mean this, the purpose is not to protect against automated systems. It is to ensure that the request is not tampered with (in particular, for situations where the request is not protected by TLS at every stage between the client and the server). While that is quite interesting, it is not very applicable to anti-spam systems.

[xtekky]

Its not really spam that is targetet here, just generally the missuse of discords api

[technicaljicama]

Good point, although if discord implements signing, it should be more than just 1 header (most companies just use a hmac sha1 hash with a "secret" key) better would be an own hashing Algorithm for example (2 different algos that hash 2 different strings for example current time+request body the other algo hashes request url + fingerprint) now the Algorithms need to be obfuscated ofcourse so ollvm or vmprotect may be a good choice + anti debugging stuff.

[xtekky]

Ppl disliking it are prolly just skids that are worried to not be able to make discord scripts anymore lmaoooo, and yh I am talking about some serious algorithm including different encryption methods

[splatterxl]

Are you sure you're not just doing armchair security? This wouldn't stop scripting and it would likely be reverse engineered within a day.

At most it would just obsolote the older ones but if the people actually care about sending spam requests they would... you know... update their scripts?

[xtekky]

yes, of course but it would be harder and if discord does it's job right people wouldn't be able to reverse it, frequent updates and skilled devs are enough to keep it safe.

[mewzax]

Mais keske tu racontes gros

[xtekky]

T'as peur ou quoi mdr

[antoinekm]

@xtekky they don’t rly know what Reverse engineers are capable of…

[SyntaxSparkk]

there's a huge community around discord, all it takes is one person to reverse engineer it, and it would be spread around fast

[xtekky]

nah, bro people would be selling it not leaking and the reason why there is a big community around it is because discord is too ez bruh they need to change, I don't get why people so mad

[xtekky]

and I haven't seen mssdk or Argus around here or even selling same goes for x-bogus on TikTok I have seen a lot of people complaining and abandon because of that.

[SyntaxSparkk]

Yeah, maybe they will just sell it like how people do with TikTok.

Discord adding this = less skids and less api abuse

The people hating on this idea are skids who don't know how to reverse engineer 😂

[xtekky]

Yeah I don't see any negative point on adding that lmao, the only one being having skilled devs, a feature discord apparently does not have.

Good security devs against reverse engineers is incomparable, big advantage on the company side.

[SinisterRectus]

dies from cringe

[xtekky]

cool really cringe being the easiest platform to be reverse engineered.

last L u took is when u had to invalidate all promos on towerof fantasy

I'm just trying to make a good suggestion please elaborate a main negative point on why this is a bad idea

[jhgg]

This post really appears to be speculation without any real substantive discussion or viable technical suggestions - and thus has devolved into trolling.

As such, I am locking this post.