2025/11/26 / Discord

Story of My Self-Made Discord Bot Being Abused for Spam When I Published It

I published a self-made Discord bot, and it was used as a stepping stone for spam. I will summarize the architectural design mistakes that caused this and future security measures.

discord nodejs security

Hello, I'm PanKUN.

This time, it is a story about a big failure when I published a Discord Bot I was operating personally.

The other day, an incident occurred on the game development server I manage. To my surprise, my self-made bot started posting invite URLs of completely unrelated Discord servers earnestly, as if it had been hijacked. The cause was a fatal design error hidden in the architecture of the bot I made.

This time, with self-admonition, I would like to write down all the mistakes I made and their countermeasures here.

What was the problem?

There were roughly two causes.

1. Commands could be executed on other servers from any server

The architecture I wrote about in this article was the fundamental problem. As a result of aiming to add various functions without adding bots for developers, it had a specification that "commands can be executed from any server".

[Why was this bad?] Because of this specification, it became possible for an attacker to perform the stunt of sending messages to my game development server from their own server. In other words, a command executed on server A would be activated on a completely unrelated server B. This was the direct cause of the spam.

If you think about it normally, it's bad, isn't it? Even if it is file-based, I should have managed the commands that can be executed for each server (guild).

2. The list of participating servers was published in the repository

This was also fatal. I managed the information of the servers the bot participates in with a file called guilds.json, but I had uploaded this to a public repository on GitHub.

[Why was this bad?] In guilds.json, all server IDs in which the bot participates were listed. The attacker obtained this list, identified the ID of the target server (my game development server), and sent spam messages there. Although it is not personal information, the server ID was also splendid confidential information...

Future measures

Based on this reflection, I decided to review the bot's mechanism from the ground up.

  1. Recreation of Bot App & Complete Token Reset First, completely delete the current bot app and recreate it as a new app. Since resetting the token is not enough, it is a restart from a clean state.

  2. Thorough permission management for each guild Completely separate processing by server ID (guild ID) so that commands do not affect other servers. In the future, I will introduce a mechanism to manage allowed commands for each server with a file-based DB.

  3. Change invitation method to 'Request System' Stop the public system for invitations and switch to a request system by contacting me directly so that I can grasp who is using the bot.

  4. Repository cleanup I will continue to publish the source code, but files that may contain confidential information like guilds.json will be completely removed from the repository and managed firmly with .gitignore.

Summary

So, this was a story about my grand screw-up. I deeply reflect that as a result of emphasizing the ease of "making it usable for anyone", the most important perspective of security was missing.

I will rebuild the bot into a safer form, so if there is anyone who thinks "I still want to use it!", I would be happy if you feel free to call out to me.

← RClone Operat…← Back to BlogImproving UX … →