2FA required for moderation can be evade with bots. (NOT A BUG) #4175
Replies: 4 comments 8 replies
-
|
there's a few people confused by the wording on here, so I'll rephrase it as "expose to bots that an user isn't able to use moderation permissions because they don't have 2fa enabled" |
Beta Was this translation helpful? Give feedback.
-
|
yup i mean that! |
Beta Was this translation helpful? Give feedback.
-
|
Agreed, ruins the whole point of 2fa requirement for moderation |
Beta Was this translation helpful? Give feedback.
-
|
Yeah. Assume that my account was hacked, if the server owner have 2FA requirement for moderation and my account did not turn on 2FA, the hacker(s) will simply need to add a bot (or use remaining bot in the server), and the bot will do moderation actions for them. |
Beta Was this translation helpful? Give feedback.
-
|
your account would need the manage server permission and 2fa to add the bot |
Beta Was this translation helpful? Give feedback.
-
|
If your account gets "hacked" (= password compromised) and does not have 2FA enabled then the attacker can just simply activate 2FA with THEIR Authenticator app. Adding a bot to bypass is not the threat. The "2FA requirement for mods" is only an incentive for people to activate it ahead of being compromised. |
Beta Was this translation helpful? Give feedback.
-
|
The easiest way would probably be to expose the user object's |
Beta Was this translation helpful? Give feedback.
-
|
I'm pretty sure Discord will dislike exposing everyone's 2FA status. You can already get the 2FA status of someone with OAuth2, see OAuth2 docs at This way, bots can check if the moderator has 2FA enabled and thus forbid the command if they don't have it |
Beta Was this translation helpful? Give feedback.
-
Then, all the mods who have to use that bot, needs to login in order to leak their 2fa status |
Beta Was this translation helpful? Give feedback.
-
|
I suggest not using discord.py as an example for making api calls |
Beta Was this translation helpful? Give feedback.
-
|
It's pretty much pseudocode anyway. |
Beta Was this translation helpful? Give feedback.
-
|
lol they wanted to give an example |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
If a server has require 2FA for moderation, the API will record that a person have moderation perms only when they have mod perms and have 2FA enabled
Like this: (example in dpy, author have administrator perms):
@commands.has_permissions(administrator=True) #always return True if the author turned on 2fa@commands.has_permissions(administrator=True) #return False if the author did not turn on 2FA and the server required 2FA for moderation@commands.has_permisssions(administrator=True) #always return True if the server does not require 2FA for moderationBeta Was this translation helpful? Give feedback.
All reactions