The breach in question is documented here: https://youtube.com/watch?v=lUiLBBab1RY
I don’t think there’s a text write-up, but tl;dw a combination of missing input sanitization and no-code UI trickery made it possible to leak other users’ bot tokens, and despite patching the exploit pretty quickly on exposure, BotGhost’s developer tried to cover it up and refused to reset potentially affected tokens.
I really dislike the way they try and play this down in the doc:
So now botghost is doing a pentest. But I dunno... my guess at the likelihood of doing a good job backfilling security into a codebase that wasn't built with that as a core concern is also low.
I suppose they could have logged only if a bot token was detected in output. But if you'd think to do that, then why not also just block the output?
But it is correct that the article does not reiterate the technical details of the exploit.
A while back there was a service called 'Spy Pet' that ran hundreds of discord bots selling access to searchable data logs. I wonder if discord is primarily concerned about the massive logging capability of services like these.
That cuts out a lot of the value for LLM training; and will reduce the blast radius if Discord ever decides to fully pull the plug on message access.
Tech will turn into a casino where the house (aka the platform) always wins.
I only ever did this on my own server for good reason, but still.
Really a bot doesn't have any more access than a user does. You as a user can manually scroll back through the entire server history, you can check on roles, and you can see the names of channels that are hidden from you.
But it becomes a problem when bots are doing this at scale and selling the resulting data. Sort of like some other bots that people like to argue are doing the same thing a human could.
> Unfortunately, the only method currently offered by Discord involves committing them to a public GitHub repo, which is not a viable or secure option.
For whatever it's worth, I actually think this dev is understating the impact of their security issues. They had 2 token leaks - albeit conditional and with prerequisites. Given the sorts of tokens that a user has to supply to use this sort of generic app builder, this is pretty serious.
That said, I think inconsistent enforcement, when it favors them, is a really bad look on Discord. It totally looks like they're doing cover-their-ass, whack-a-mole, public relations-driven enforcement.
None of that matters in the slightest. They're dealing with an indifferent, capricious, unaccountable company. And trying to do it without enough leverage to even get a response.
It seems like it's about to end the way it was always going to.
i was sorta curious on the policy changes over time, since botghost has been around since '18. all i can say is good luck to botgost
histories of policies-ish:
- from the tl;dr (they also explain #4 as well in the non-tl;dr):
> Discord issued a breach notice to BotGhost, claiming the platform violates Developer Policy 4 by handling bot tokens, which has been a core part of how BotGhost has worked since 2018.
- policy from discrap: https://support-dev.discord.com/hc/en-us/articles/8563934450...
> 4. Do not collect, solicit, or deceive users into providing passwords or other credentials. Under no circumstances may you or your Application request or attempt to obtain login credentials from Discord users. This includes information such as passwords or account access or login tokens.
- policy in 2022 (of that page, but note the random digits in the numbers make it terrible to easily see history), thanks archive.org!: https://web.archive.org/web/20221001073449/https://support-d...
> Do not collect, solicit, or deceive users into providing user login credentials. Under no circumstances may you or your Application solicit, obtain, or request login credentials from Discord users in any way. This includes information such as passwords or user access or login tokens.
- and archive.org of github of the before 2022 change (mentioned in the above archive) (does not really mention collecting of user auths - as per my quick glance [i welcome a double check]): https://web.archive.org/web/20220921062136/https://github.co...
edit: fix copy-pasta
The existence of terms like this make any discussion of the other terms look pretty silly.
Their policy is simply that they do whatever they want, and that hasn't changed.
> BotGhost cannot export bot configurations due to its no-code structure. If shutdown happens, all bots and user data will be permanently lost.
I don't think I understand this part - what does the "no-code" mean in this context? How can this data not be stored somewhere for the service to function at all? Does this mean that BotGhost also has no backups, and a technical glitch could cause a similar problem?
Never build your main business on somebody else's platform.
Always assume that you will get shutdown / rugged when you do so.
You're being facetious, but OP is right. For software platforms, this has been a constant. It happened with Twitter, Facebook, Google (Search/Ads, Maps, Chat), Reddit, LinkedIn - basically ever major software platform started off with relatively open APIs that were then closed-off as it gained critical mass and focused on monetization.
Pretty much every business is built on shaky foundations. If you never built business on shaky foundations, you'd never do anything at all. You needed an IBM-compatible PC to use Windows! You need a web browser to use Hacker News. Y Combinator is only meaningful as long as dollars are worth something.
If you make a business that runs on IBM PCs, make a few billion dollars, then 10 years later IBM rugpulls the PC line and sues everyone who copied it... was there really a "lesson" that needed "learning" or did you simply succeed at business and make a few billion dollars?
Yep. It’s a lesson that keeps being re-learned the hard way.
It’s bad advice.
Are there any (profitable) phone apps that are not build on top of the app/play store?
Android also supports third party stores/standalone installers and iOS is fighting an ongoing legal battle due to its lack of a permanent equivalent.
You have to build on something, and there's going to be a corporation somewhere in your stack.
Discord, Twitter, Reddit, etc. that have become hostile to third parties have free APIs to reel in developers to make their platform more attractive to users, and once they’ve reached critical mass, they turn around and fuck over those developers. This is because their primary business model is serving their users, and developers eventually “get in the way”.
So the person you’re replying to should add an addendum: never build your app/business on top of third parties IF their primary business models aren’t providing services to developers.
Chat bots on your own hosted platform which has no users isn't something people will want to buy. I mean, some people will want to buy it for click to chat on their websites or something. But if there's a market for chat bots in general spaces, you have to address that market where people are chatting, which is Discord, apparently.
However, they do claim that Mee6 (the biggest Discord bot by # of servers, iirc) offers a similar feature but Discord is letting them slide?
Not saying it's the right thing to do, but it seems to be their reasoning.
Can you imagine the value to LLM companies?
It’s probably the single largest collection of sexting content outside of WeChat (and Apple’s archive of iCloud Backups that contain all of the iMessages).
Create new account: all servers stuck in preview mode permanently
Create new account: instantly auto-banned
Create new account: phone-walled immediately
Create new account: banned immediately after providing phone number
Ban appeal: "our automated system is working properly, appeal denied"
Doesn't matter what computer/ISP/OS/browser/etc. I use, the experience is always one of these.
What they do is the same as a "cease and desist": they warn you that Discord might consider suing you or might try to ban you by technical means.
It's all about business, not what the terms say. If Discord thinks BotGhost is good for Discord's bottom line, they'll let it exist. If they think it's bad, they'll stop letting it exist. I haven't the slightest clue why Discord now thinks BotGhost is bad for Discord's bottom line, but it's probably got something to do with legibility (in the Seeing Like A State sense) to investors for their IPO. Or they're working on a competitor internally.
Basically, you are likely in competition with something they are making, or are otherwise bad for business. The specific policy violation they choose doesn't matter– you are getting dicked down because they want it to be so.
discord ain't a monopoly in any relevant sense of the word
I was excited there for a second.
I think Discord has a fair argument that if BotGhost "writes the code" (read: translates workflows to actual execution), and BotGhost operates the bot, then really it's BotGhost's bot and they should own the bot and have it be visible to users as their bot.
Yup just throw everyone else under the bus.
I use an adblock, so I don't see any ads on Reddit.
> I can't think of any way to look at this where Reddit is the lesser evil.
Reddit is the lesser evil for my personal use case because more and more Discord servers require a verified phone number to send messages. I can't get help if I can't send a message.
Discord on the other hand does everything IRC does but people have made it take the place of forums, blogs, file repos, etc etc. All this information is locked up in a platform that can't be searched or often even accessed without signing up for the platform. Unlike IRC however Discord is not a protocol that others can tie into - it's a platform and they can/do actively lock people out of it.
Bouncers and log bots have been a thing even 20 years ago when I was active on Freenode. In fact, a bouncer and log bot was what made me get my very first own VPS... time flies. It lasted a year until my first attempt at a libc upgrade failed, that was a lot of work to fix.
> Over 3 million users and bots created
which struck me as thoroughly disingenuous. Surely they know how many users they have, and how many bots have been created. Why conflate the two?
But it's hard to ignore actual people on the street in front of your office calling out your bullshit. In addition, it gives nice pictures for the press, and that's the only thing investors actually fear.
What's even stranger to me is that Discord was putting on a full-court press to get developers onto their platform over the last twelve months. This kind of response is certainly not going to help make devs feel all warm and fuzzy about continuing to build on Discord.
