bot icon indicating copy to clipboard operation
bot copied to clipboard
verified publisher icon python-discord

Automatic invalidation of DIscord bot tokens

Open ThatOtherAndrew opened this issue 2 years ago • 1 comments

Someone leaking their bot token by accident in ⁠#python-discussion had gotten me thinking - would it be possible for the bot to automagically invalidate bot tokens, similar to GitHub's secret scanning, as a precautionary security measure? Putting myself in the shoes of a malicious actor, wouldn't it be trivial to run a self-bot in the server which awaits tokens, authenticates as them and performs automated malicious actions?

Relevant discussion in #community-meta

ThatOtherAndrew avatar Jan 19 '24 21:01 ThatOtherAndrew

automated malicious actions could also just get the user/bot banned

suspectedesp avatar Feb 04 '24 18:02 suspectedesp

I think it was mentioned in the discussion after this was posted, but the reason we don't do this is that discord doesn't expose an andpoint that allows invalidating tokens.

The only way to do this (afaik) would be to upload tokens to GitHub and rely on GitHub's secret scanning to remove them, which has a few issues:

  • If GitHub doesn't remove them immediately uploading them to GitHub could make things worse.
  • It's a bit dodgy to upload peoples tokens to a 3rd part service.
  • It would require some thought and effort to implement properly.

Uploading the tokens to GitHub isn't an outlandish idea, but I don't think it's a big enough issue for it to outweigh the negatives, so I'll close this.

wookie184 avatar Mar 26 '24 17:03 wookie184