Your Discord Messages Are For Sale (4 Billion of Them)

Seytonic
20 Apr 202410:29

TLDRA website called spy.pet claims to be selling 4 billion Discord messages for as little as 10 cents, raising privacy concerns and legal issues. The site, which has been operational for a few months, uses bots to scrape messages from Discord servers, but does not affect private messages. Discord is investigating the site for violation of its policies, which prohibit data scraping. Additionally, Telegram faced rumors of a zero-day vulnerability in its desktop app for Windows, which was later confirmed to be a typo in the dangerous file extensions list. Telegram quickly fixed the issue. Meanwhile, an alleged iMessage exploit was reported by Trust Wallet, but the source of the exploit, 'CodeBreach Lab', was found to be a scam site, casting doubt on the credibility of the exploit.

Takeaways

  • 🚨 A website called spy.pet claims to be selling 4 billion Discord messages for as little as 10 cents, raising privacy and legal concerns.
  • 🔍 Spy.pet has scraped thousands of Discord servers and made the data searchable for paying customers, which Discord is investigating as a violation of their policies.
  • 🤖 The website operates using bots that join Discord servers and monitor messages, but private messages are not affected by this method.
  • 💬 Messages on mid-size and larger servers are more likely to be captured by spy.pet's bots, potentially exposing sensitive or private conversations.
  • 🚫 Spy.pet's claim to enhance user privacy is contradictory, as it involves exposing users' messages to paying customers.
  • 💰 The website only accepts cryptocurrency for payment, which could be an attempt to maintain anonymity for the operators.
  • 🔗 There is a supposed link to request data removal on spy.pet, but it is a joke redirect to a Spiderman clip, indicating no real option for users to remove their data.
  • 📈 Spy.pet, launched in November of the previous year, has been under the radar until recent media attention highlighted its activities.
  • 💼 The site targets 'Enterprise' customers, including those interested in AI training or intelligence gathering, which could be a significant legal issue.
  • 🛡️ Discord's terms of service explicitly forbid data scraping, and the site's operation could be in violation of GDPR, especially concerning underage users.
  • 🛑 The site has already faced DDoS attacks, and its anonymous nature could lead to a legal battle if its operations are challenged.
  • 📊 Data brokers like spy.pet are part of a larger industry that collects and sells personal data, with DeleteMe offering a service to help individuals remove their data from such brokers.

Q & A

  • What is the claim made by the website spy.pet regarding Discord messages?

    -The website spy.pet claims to be selling 4 billion Discord messages, having scraped thousands of Discord servers, millions of users, and billions of messages, making this data searchable for a fee.

  • How does spy.pet present itself in terms of legitimacy and user privacy?

    -Spy.pet presents itself as a well-put-together website with a legitimate feel, emphasizing user privacy. However, this is contradictory as the exposure of Discord messages is a violation of privacy.

  • What is the method used by spy.pet to gather data from Discord servers?

    -Spy.pet uses an army of bots disguised as real users that join servers and monitor messages sent within those specific servers. This means no vulnerability is being exploited, and private messages are unaffected.

  • How does spy.pet handle payment for its services, and what currency does it accept?

    -Spy.pet only accepts cryptocurrency as payment, specifically mentioning Monero in the script.

  • What is the potential legal issue with spy.pet's operation?

    -Spy.pet's operation is potentially illegal as it involves scraping data without consent, which is against Discord's policies. Additionally, the inability to remove personal data and the involvement of underage users further complicate legal compliance, possibly violating GDPR regulations.

  • What was the nature of the vulnerability reported in Telegram's Desktop app for Windows?

    -The reported vulnerability was a typo in Telegram's list of dangerous file extensions, where 'pywz' should have been 'pyzw'. This allowed .pyzw files, a type of Python file, to be executed easily within Telegram, potentially leading to arbitrary code execution on the user's PC.

  • How did Telegram respond to the vulnerability claim?

    -Initially, Telegram disputed the claim, suggesting the video demonstrating the vulnerability was likely a hoax. However, after the vulnerability was confirmed, Telegram quickly fixed the typo and implemented a server-side patch to prevent such files from running.

  • What was the reaction of the community to the alleged iMessage exploit?

    -The alleged iMessage exploit was widely reported and caused concern due to its potential to allow hackers to break into phones via infected text messages. However, the credibility of the source, 'CodeBreach Lab', was questioned, and the site was suspected to be a scam.

  • What is the role of data brokers and how do they operate?

    -Data brokers are companies that scrape the web for personal data, package it, and sell it to other companies or individuals. Spy.pet is essentially a data broker, operating in potentially legally questionable ways, whereas there are many legal data brokers that sell personal information.

  • How does the service DeleteMe help individuals with their personal data?

    -DeleteMe helps individuals by searching hundreds of data brokers for their personal data, compiling a personalized report within 7 days, and sending data removal requests on their behalf.

  • What is the significance of the 'pyzw' typo in the context of Telegram's security?

    -The 'pyzw' typo was significant because it meant that .pyzw files were not being treated as dangerous by Telegram, allowing them to be opened as easily as images or videos, which could have led to the execution of malicious code.

  • How did Telegram downplay the impact of the 'pyzw' vulnerability after it was fixed?

    -Telegram downplayed the bug by stating that less than 0.01% of their users have Python installed and use the relevant version of Telegram for Desktop, implying the vulnerability would affect very few users.

Outlines

00:00

🔍 Discord Messages for Sale: The Controversial Spy.pet Website

A website named spy.pet claims to have scraped and is selling 4 billion Discord messages, raising privacy and legal concerns. The site, which has been operational for a few months, offers a searchable database of messages from thousands of Discord servers for a fee. Despite claiming to prioritize user privacy, the site monetizes access to users' messages, which are collected through bots disguised as regular users. Discord is investigating the situation and plans to enforce its policies against data scraping. The legality of the site's operations is questionable, especially considering GDPR implications and the involvement of underage users. Spy.pet is also facing DDoS attacks and is compared to data brokers that legally sell personal information. The video recommends using 'DeleteMe' to help manage and remove personal data from other trading companies.

05:03

🛡️ Telegram's Misstep: A Typo That Could Have Led to Vulnerability

Telegram faced rumors of a zero-day vulnerability in its desktop app for Windows, where clicking on an image could execute arbitrary code. Initially dismissed as a hoax, the vulnerability was later confirmed due to a typo in the list of dangerous file extensions within Telegram's source code. The typo allowed '.pywz' files (a type of Python file) to be opened without the usual security warnings, potentially enabling hackers to run malicious code. Telegram quickly fixed the typo and implemented a server-side patch. Despite downplaying the issue by stating that very few users would be affected, the claim raised questions about Telegram's knowledge of users' installed software. Meanwhile, iMessage was falsely reported to have a high-risk exploit targeting it, which was later debunked as a scam originating from a dubious dark web site.

10:08

🚫 The iMessage Exploit Scam: A Warning Based on Unsubstantiated Claims

A warning about a high-risk zero-day exploit targeting iMessage spread widely after being tweeted by 'Trust Wallet'. The exploit was claimed to be available for sale on a dark web site called 'CodeBreach Lab' for $2 million. However, the credibility of the source and the claims were questioned due to the lack of technical details and the suspicious nature of the 'CodeBreach Lab' site. The site was poorly designed and appeared to be a scam, with no evidence of any actual sales or transactions. It was suggested that finding and developing such vulnerabilities is a complex process typically requiring significant resources, casting doubt on the legitimacy of the site's claims.

Mindmap

Keywords

💡Discord Messages

Discord Messages refers to the text communications exchanged between users on the Discord platform. In the video, it is mentioned that a website called spy.pet claims to have scraped and is selling billions of these messages, which raises privacy concerns and legal issues.

💡Data Scraping

Data Scraping is the process of automatically extracting large amounts of data from websites. In the context of the video, spy.pet is said to have scraped data from Discord servers, which includes user messages and profiles, and made it searchable on their website for a fee.

💡Cryptocurrency

Cryptocurrency is a digital or virtual currency that uses cryptography for security. The video explains that spy.pet only accepts cryptocurrency as a form of payment, which is significant as it potentially adds an extra layer of anonymity for the users of the website.

💡Bots

Bots are automated software applications that perform tasks. The video describes how spy.pet uses bots disguised as real users to join Discord servers and collect messages, which is a key part of how the website has amassed its database of Discord messages.

💡Zero-Day Vulnerability

A Zero-Day Vulnerability is a security flaw in a computer system or software that is unknown to the software developers, hence 'zero day'. The video discusses a supposed zero-day vulnerability in Telegram's Desktop app for Windows, which if true, could allow hackers to execute arbitrary code on a user's PC.

💡GDPR

GDPR stands for General Data Protection Regulation, which is a regulation in EU law that focuses on data protection and privacy for individuals. The video raises the point that spy.pet's actions may not be GDPR compliant, especially considering the involvement of underage Discord users.

💡Data Broker

A Data Broker is a company that collects and sells personal information about individuals. The video explains that spy.pet operates as a data broker by selling personal data scraped from Discord, which is a cause for concern due to the potential illegality and ethical issues involved.

💡DDoS Attacks

DDoS stands for Distributed Denial of Service. It is a type of cyberattack where multiple systems flood the bandwidth or resources of a targeted system, effectively shutting it down. The video mentions that spy.pet has been under DDoS attacks, indicating the controversy and opposition it faces.

💡DeleteMe

DeleteMe is a service that helps individuals remove their personal information from data broker databases. The video suggests that while DeleteMe cannot remove messages from spy.pet, it can assist with removing data from other companies that trade in personal information.

💡iMessage Exploit

An iMessage Exploit refers to a security vulnerability in the iMessage system that could be exploited by hackers. The video discusses a claim of a high-risk zero-day exploit targeting iMessage, which, if true, would be a significant threat to users' security.

💡Dark Web

The Dark Web is a part of the internet that is not indexed by traditional search engines and requires specific software, configurations, or authorization to access. It is often associated with illegal activities. The video mentions a dark web site called 'CodeBreach Lab' that is supposedly selling iOS exploits, though the credibility of the site is questioned.

Highlights

A website claims to be selling 4 billion Discord messages for as little as 10 cents.

The website, spy.pet, has scraped thousands of Discord servers, millions of users, and billions of messages.

Data on spy.pet is searchable for a fee, and Discord is not happy with the site's activities.

Spy.pet emphasizes user privacy but exposes messages of non-paying users.

The website only accepts cryptocurrency as payment, specifically Monero.

Spy.pet uses bots disguised as real users to join servers and collect messages.

Private messages on Discord are unaffected by spy.pet's data collection methods.

Messages on mid-size and larger servers are more likely to be collected by spy.pet's bots.

Discord messages are often treated as temporary, leading to many private conversations being made public.

There is a link to request data removal on spy.pet, but it leads to a joke video instead.

Spy.pet launched in November last year and has recently come under scrutiny.

The site is open to 'Enterprise' customers, including those interested in AI training or federal intel.

Discord is investigating the site and will enforce its policies against data scraping.

Spy.pet's operations may not be GDPR compliant, especially considering underage users.

The site is already facing DDoS attacks and legal challenges due to its activities.

Data brokers like spy.pet legally or illegally collect and sell personal data, with DeleteMe offering services to help remove such data.

Telegram faced rumors of a zero-day vulnerability but disputed the claims, suggesting the video was a hoax.

A typo in Telegram's code led to a confirmed vulnerability, allowing .pyzw files to be executed.

The Telegram vulnerability was quickly patched, and there were no known instances of it being exploited.

iMessage was falsely reported to have a high-risk zero-day exploit, likely originating from a scam site.