DisCatSharp (DCS), Discord's resident "cutesy" C# / .NET Discord API library, has recently been patched to fix a major security vulnerability, but not without gratuitous drama.

Background

DisCatSharp (DCS) is a Discord API library written in C# for the .NET framework. Like other such libraries, DCS facilitates interactions with the Discord API for developers writing Discord bots and other applications. As a part of these interactions, libraries will typically make HTTP requests to the Discord API on behalf of the developer.

Most HTTP requests to the Discord API require an authorization header, which is a piece of client-identifying information that is replicated in every request to the server (or ideally only in the requests that require it). Under normal circumstances, this header contains private credentials that are not intended to be shared with others. If they are shared or leaked, then undesired operations can be performed by malicious "actors" on behalf of and against the wishes of the original developer. However, it is generally acceptable to configure a reputable third-party library to see any such credentials on the assumption that the library will process and use them safely.

Description

In addition to facilitating interactions with the Discord API, DCS includes a method that contacts the DCS team's own API. Prior to the event reported here, this method was named GetDisCatSharpTeamAsync and was a member of the DiscordApiClient class. This method made requests to https://dcs.aitsys.dev/api/devs/ and https://dcs.aitsys.dev/api/guild/ to fetch information about the DCS team and their support guild. These "endpoints" are a proxy for data that is provided by the Discord API itself, and rehosting Discord data in this manner may be a violation of Discord's own Developer Terms of Service or Policy. In addition to this already suspicious operation, it was discovered by multiple Discord users that, in the process of making these requests to the DCS API, the library was including the regular Discord API bot authorization header as a part of the request. Since this operation was for communicating with the DCS API, and not the Discord API, this header was not needed and should not have been included due to its sensitive nature described above.

Impact

It is unclear how long this behavior has existed or whether its introduction was intentional. The original interaction with the DCS API appears to have been added on 17 Sep 2021, while the more offensive token-leaking code appears to have been added on 5 Dec 2021, both authored by maintainer Lulalaby. The corresponding pull request #88 is titled "T104" and was self-merged without any comments except "Exposes the HttpClient for custom usage."

Resolution

This behavior was apparently patched on 11 Apr 2022 without comments or review. An independent test later performed by Discord user Michaili#1397 shows that the token-leaking behavior exists before this patch is applied but does not exist after this patch is applied.

1

However, GitHub users quinchs and jameswalston proposed that the behavior did still exist as indicated by incendiary pull requests #127 and #128, both on 12 April 2022. The pull requests were declared as "bullshit" by Lulalaby, who reported that "[the library] never transmitted tokens" and attempted to censor the contents of the pull requests.

2

3

4

After the opening of the two pull requests and after the Lulalaby's reaction to them, additional attention was drawn towards DCS and its development team for the lack of clarity and transparency surrounding the potential security. Out of an abundance of caution, GitHub user JMLutra applied an additional patch that referenced the two pull requests.

However, GitHub user Saalvage effectively reverted this change with a patch titled "Mitigate targeted harassment attack by rivalling library". Additionally, the original library method GetDisCatSharpTeamAsync has been renamed to GetLibraryDevelopmentTeamAsync. At the same time, Saalvage announced on Discord (as Salvage#6982) about an attack on DCS and its team. The security vulnerability was again dismissed.

5

Eventually, on 13 Apr 2022, the DCS team confirmed that the vulnerability did exist by initiating a security advisory, contradicting the prior statements of Lulalaby and Saalvage. Additionally, a Discord system message (not to be confused with Discord system messages) was distributed to warn users of the vulnerability.

6

Comments

While the two pull requests and their insinuations may have been unfounded, they importantly called attention to a security vulnerability that has existed for several months. Additionally, they called attention to the library maintainers and the manner in which they handled the situation: Instead of taking the time review, accept, and address the situation gracefully, they resorted to obscenity, obscurity, and counter-accusations, all of which attracted undue attention and drama.

This is not the first time that drama of this type has shown up in the Discord API scene. On 17 Dec 2021, Lulalaby was scolded by GitHub user and Discord employee IanMitchell for Code of Conduct violations. On 19 Jan 2022, Lulalaby, quinchs, and jameswalston all appeared in a pull request to add pycord (another Discord API library, itself a fork of discord.py) to the official community resources page. The discussion was locked and marked as "too heated", but the change was eventually merged by GitHub user and Discord employee typpo, apparently against the wishes of the general Discord API community. Pycord maintainers are accused of receiving special treatment since their community server is the only known Discord API library server that is also a Discord Partner.

The author recommends against using DisCatSharp and recommends against interacting with its maintainers. The author recommends using alternatives such as Discord.Net or DSharpPlus. Both are featured on Discord's community resources page and in the Discord API community server.