Impact
This vulnerability impacts all users who have performed verification with an instance of MIT IdentiBot that meets the following conditions:
- The instance of IdentiBot is tied to a "public" Discord application—i.e., users other than the API access registrant can add it to servers; and
- The instance has not yet been patched.
Patches
The latest version of MIT IdentiBot contains a patch for this vulnerability (implemented in 48e3e5e).
Workarounds
There is no way to prevent exploitation of the vulnerability without the patch. To prevent exploitation of the vulnerability, all vulnerable instances of IdentiBot should be taken offline until they have been updated.
Detailed Description
IdentiBot does not check that a server is authorized before allowing members to execute slash and user commands in that server. As a result, any user can join IdentiBot to their server and then use commands (e.g., /kerbid) to reveal the full name and other information about a Discord user who has verified their affiliation with MIT using IdentiBot.
ZelnickB Finder
Impact
This vulnerability impacts all users who have performed verification with an instance of MIT IdentiBot that meets the following conditions:
Patches
The latest version of MIT IdentiBot contains a patch for this vulnerability (implemented in 48e3e5e).
Workarounds
There is no way to prevent exploitation of the vulnerability without the patch. To prevent exploitation of the vulnerability, all vulnerable instances of IdentiBot should be taken offline until they have been updated.
Detailed Description
IdentiBot does not check that a server is authorized before allowing members to execute slash and user commands in that server. As a result, any user can join IdentiBot to their server and then use commands (e.g.,
/kerbid) to reveal the full name and other information about a Discord user who has verified their affiliation with MIT using IdentiBot.