Discrepency of behaviour between Discord's preview bot and URL detection allows clickjacking
Fake embeds can be generated, using a markdown special char and a deprecated way of passing credentials through an URL (RFC1738 Section 3.1). Chained with the permissive formating of Markdown, the bug can be used to create very convincing phishing links.
Posted on Jan. 29, 2024, 1:56 a.m. by lenoctambule