Skip to content

Instantly share code, notes, and snippets.

@Nickguitar
Last active October 4, 2024 16:28
Show Gist options
  • Save Nickguitar/7c6bdfa8255b2ec7e0d6d4015550ce4c to your computer and use it in GitHub Desktop.
Save Nickguitar/7c6bdfa8255b2ec7e0d6d4015550ce4c to your computer and use it in GitHub Desktop.
Bypassing Discord's masked links filter
@RedStone576
Copy link

nice, thats a good one, tho looks more obvious for me than the first 4 examples above lol

@YellowAfterlife
Copy link

YellowAfterlife commented Jul 12, 2024

Trying to filter similar characters is a bit of an uphill battle, especially once you take into account combining glyphs and rendering. For example, combining diacritics might add just a few pixels to the glyph:

image

I wouldn't bother too much with reporting these - back when they first started rolling out this feature, there were a bunch more bugs like masked link not being shown on mouseover inside OpenGraph embeds (which you could then route through one or other redirection method that the user might have whitelisted):

image

Upon reporting it along with other considerations I was informed that they don't consider this a bug, will not fix it, and that it's generally out of scope for the bounty program (half a year later, they did fix it).

@RheaAyase
Copy link

Awesome,

nitpick you can tweak in the 2nd paragraph:

- [https://malicious.com](https://example.com)
+ [https://example.com](https://malicious.com)

The whole paraph:

- In the context of cybersecurity, one of the first things that comes to mind is to try to make a fake link, putting another URL on the "text" part. It would be something like [https://malicious.com](https://example.com). By doing so, an user would see the URL https://example.com, but by clicking on it, he would be redirected to https://malicious.com.
+ In the context of cybersecurity, one of the first things that comes to mind is to try to make a fake link, putting another URL on the "text" part. It would be something like [https://example.com](https://malicious.com). By doing so, an user would see the URL https://example.com, but by clicking on it, he would be redirected to https://malicious.com.

The following screenshot after this paragraph is also wrong way around.

@Nickguitar
Copy link
Author

Awesome,

nitpick you can tweak in the 2nd paragraph:

- [https://malicious.com](https://example.com)
+ [https://example.com](https://malicious.com)

The whole paraph:

- In the context of cybersecurity, one of the first things that comes to mind is to try to make a fake link, putting another URL on the "text" part. It would be something like [https://malicious.com](https://example.com). By doing so, an user would see the URL https://example.com, but by clicking on it, he would be redirected to https://malicious.com.
+ In the context of cybersecurity, one of the first things that comes to mind is to try to make a fake link, putting another URL on the "text" part. It would be something like [https://example.com](https://malicious.com). By doing so, an user would see the URL https://example.com, but by clicking on it, he would be redirected to https://malicious.com.

The following screenshot after this paragraph is also wrong way around.

Thanks, just edited the paragraph!

@redactedontop
Copy link

Howdy, Nick. Could I ask for your discord I could contact you? I'm also doing some research about masked links.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment