How I Discovered a High-Severity Vulnerability to Secretly Read Messages on Discord

Discord has a feature named “Invite as Guest” on voice channels. When you use it, it will create an invite link and when someone joins thru the invite link they will join the voice channel, if they leave the voice channel, they will get kicked out from the server, that’s why it is called Guest.

I thought, what would happen if I ratelimit while changing voice channels and then join to server as a guest? I did tried it and when I joined to server, I wasn’t on the voice channel and I was surprised. I was supposed to be in voice channel so if I leave the voice channel, I’ll get kicked from the voice channel but I can’t leave the voice channel because I’m not in the voice channel so I stayed forever in the server and no one knows that I’m in the server because it doesn’t show me on members list. Also, I can’t get banned because it thinks that I’m not in the server, so I’m literally a ghost in server that can read messages secretly.

After finding this vulnerability, I reported it to Discord’s security team thru the HackerOne and I was rewarded with $$$$ amount of bounty.

Thanks for reading! You can read my other posts from my profile.