Edit 20/07 at 14:30: After some quick discussions on Twitter I added some elements to the conclusion that I might have omitted, but that doesn?t affect the final statement.
Recently, a group of attackers targeted Discord and made a website that aimed at doing large-scale phishing. The hype around it did explode recently, and gave damas such as the ?KawaiiBot is a threat? fake alert, you can read more about that from the owner of KawaiiBot here.
What interests me in this story is the conclusions discordgg.ga did show on their website before going down. For people who didn?t read it, they basically explained the attack and draw the conclusion that Discord response of blocking IP addresses was useless and they should?ve protected the login page with some CSRF.
What is CSRF
That?s a good question. For the sake of simplicity, I?m going to simplify some points of it, so don?t blame some inaccuracies.
Basically, a CSRF attack is when a form on a site A attempts to submit data to a site B. This can be done through a very basic HTML form properly configured code-wise. Those attacks are very dangerous because once redirected to site B, your cookies and session details may authenticate you and execute the form as an administrator. So site A could make you send a form on site B that?d tell the site to delete your account, or delete all data through an admin dashboard. Scary! Thankfully developers came with a way to prevent those attacks: CSRF tokens.
What are CSRF tokens
In a nutshell, CSRF tokens are random strings bound to your IP address. Those tokens are included by websites as hidden fields and when the form is sent, this token is validated and will allow or not to let the request go through.
But wait, site A can get a CSRF token, and still perform a request, so that this is useless right? Well no, it?s not as easy as that. As I mentioned before, CSRF tokens are bound to your IP address, so site B can?t fetch it from their servers. But they can make a request directly from the browser, so make a token that belongs to the right IP, right? As it turns out, no. While doing an HTTP request with some JavaScript, the web browser will perform a Cross-Origin check. If site A doesn?t allow those, the browser will refuse to perform a request.
And there you go, your site is secure! Only a form generated by the website will go through and perform actions. But CSRF aren?t the only layer of security, and is in some cases useless. We?ll talk about that a bit later.
The nature of discordgg.ga attack
The attack discordgg.ga did run was a phishing attack: they displayed a fake login page to gather users email and passwords to do malicious things with it. This is a great moment to remind you that you should never click on any link you don?t trust. If Discord sends you a mail because you absolutely need to login, don?t click anything in the mail and manually go to the website. The same applies for every service. Also, Two-Factor Authentication is a great extra-layer of security that is available is most services nowadays, so go enable it to protect yourself.
After the attack, the website did post a summary of the attack scheme and a SQL dump of all the data they gathered. They also left a message to Discord, telling that blocking IPs was a severely inefficient way of blocking them and that they should?ve implemented a CSRF check on the login page. While this sounds right, it actually is wrong on multiple points. And let me explain why.
Why a CSRF token on the login page is useless
First, as I mentioned earlier CSRF attacks are powerful because you can make requests on behalf of an user. But there, you?re just attempting to submit a form to authenticate yourself, and CSRF protection isn?t really required in that case.
Second, the nature of the attack was phishing. Not CSRF. While the way they did it exploits the lack of CSRF checking, their approach was severely over complex. They do have the email, and the password. They can just make the request manually on their end, and generate CSRF tokens themselves.
Third, Discord is immune to CSRF attacks due to it?s design. CSRF is possible by sending a HTML form to a website. But a HTML form can only send url-encoded payloads, not JSON payloads. It?s like speaking to someone in english while they only understand japanese, it doesn?t work. And even if it was vulnerable, Discord uses a REST API, meaning that most requests aren?t simple POST, it can be PUT or DELETE requests. Requests that a form can?t perform.
Conclusion
The whole discordgg.ga drama is just yet another phishing attempt that sadly did work. Phishing attacks cannot be stopped, except by blocking IP addresses spamming login endpoints, which is what Discord did.
The attack discordgg.ga ran isn?t a CSRF attack but a MITM (Man-In-The-Middle) attack, which can?t be avoided through CSRF tokens. The attacker did inject JS in the webpage, which could have easily fetched CSRF tokens by itself making the protection non effective. Man in the middle attacks cannot be avoided, except by being careful.
Stay safe, don?t click suspicious links, enable Two-Factor Authentication and use strong passwords. And don?t trust everything you read on the Internet!
Thanks for reading, might start doing some posts like that if I get some topics to talk about! ? Bowser65
