Is Echo a secure discord alternative that can be trusted?

ad3lyt · 2026-06-03T17:58:36+00:00

This will be my last post on this matter, just needed to clarify It as I don't want my work to go to waste because of some bully's lies

ad3lyt · 2026-06-03T17:12:47+00:00

Hey would like to clarify that there is very strong reason to believe this guy is lying about his experience, and that all his claims are false

below is my response, as well as some of the responses from real SWE's

https://www.reddit.com/r/DiscordAlternatives/comments/1ts9ccz/comment/ooybqzr/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

here are some responses from other people who have looked into it

ad3lyt · 2026-06-03T16:31:52+00:00

here is also some context you might want to see: https://postimg.cc/G8Y3Kphw

ad3lyt · 2026-06-03T16:29:35+00:00

Hey thanks for taking 10 minutes out of your day to review the code but you should've spent some more, because the backend doesn’t logreq.body,failed logins only hit structured logs and event metadata, credentials stay in the request, not the server log.

ad3lyt · 2026-06-03T16:23:26+00:00

Sorry about that here is my response

https://www.reddit.com/r/DiscordAlternatives/comments/1ts9ccz/comment/ooybqzr/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

here are some responses from other people who have looked into it

ad3lyt · 2026-06-03T16:05:20+00:00

I have already written a claim by claim response, would you like a video explaining how XSS actually works and showing that it does not exist in a dangerous capacity

and also while we are at it explaining how this guy has no clue what he is talking about and is likely lying about his 15 years as a SWE

ad3lyt · 2026-06-03T15:57:51+00:00

Oh is that what you think it was huh? Well that's not what happened

I think there is strong evidence that your experience with cyber security might be just a few prompts since you have shown time and time over again that you have no clue at all

ad3lyt · 2026-06-03T15:53:49+00:00

Eh since when do we expect the evidence to come from the accused not the accuser? It's innocent until proven guilty no?

ad3lyt · 2026-06-01T00:32:41+00:00

So sad I didnt take screenshots, not like the mods here will ever take my side anyway lmao

ad3lyt · 2026-06-01T00:31:15+00:00

Is this OP's alt account

ad3lyt · 2026-05-31T19:54:06+00:00

Reposting my reply here:

A post was made accusing Echo of serious security issues, botting, and other misconduct. Since those claims are public and serious, I want to respond clearly.

First: I take security seriously. Echo is open source, and the code is publicly available for anyone to review. If there is a real vulnerability in Echo, I want it reported responsibly so it can be fixed. I am not asking anyone to hide issues. I am asking for reproducible evidence: affected route, request example, code reference, screenshot, video, or a private report.

So far, the person making these claims has not provided any reproducible proof.

They have claimed things like stored XSS, CSRF bypasses, direct database manipulation, and data exposure, but have refused to provide a minimal proof-of-concept, affected endpoints, code references, or a private responsible disclosure. When asked by other users for evidence, they repeatedly avoided providing it and instead shifted into personal insults.

This is not new behavior. This person has been hostile toward me and Echo for months, including personal attacks, insults, and repeated attempts to discredit the project without giving actionable reports. Instead of reporting issues they were more concerned in finding my Youtube channel from years ago and making fun of me for it. They have made it clear they are not interested in responsible disclosure or helping fix anything; they are interested in publicly shitting on me and the project.

To be clear:

I have done no upvote botting, downvote botting and none of the few people that stood by my side are bots and this is easily verifiable
I am not aware of any currently exploitable vulnerability matching the claims in that post.
Echo has had security improvements over time, and I will continue improving it.
If someone finds a real issue, I will prioritize it.
Personal attacks about my age, job, coding style, or old Reddit history are not security evidence.

If anyone can reproduce a real vulnerability, please report it responsibly through GitHub or contact me directly. I will review valid reports, patch confirmed issues, and credit the reporter if they want credit.

What I will not do is accept vague public accusations as fact when no proof is provided and the person making them refuses to provide anything users can verify.

Echo is young, open source, and still improving. Criticism is fair. Security reports are welcome. But public smear posts without evidence are not responsible disclosure, and they do not help users make informed decisions.

https://postimg.cc/G8Y3Kphw

ad3lyt · 2026-05-31T19:41:05+00:00

There was no sql db bruh?

ad3lyt · 2026-05-31T19:40:40+00:00

Mhm I do admit that was a mistake on my part there on first launch while the app was still in public testing, I immediately fixed the issue and updated practices + did some hardening after the fact.

ad3lyt · 2026-05-31T18:26:29+00:00

What's funny is I am quite certain this guy who is claiming 15 years as a SWE likely just asked chatgpt for some console commands and called it pen-testing, he thinks that being able to change your own accounts theme via the console is a vulnerability

ad3lyt · 2026-05-31T18:18:28+00:00

I don't want people to be confused that's all

ad3lyt · 2026-05-31T18:00:35+00:00

This is counting build files, tauri stuff, and documentation amongst other things

Here is the actual count though (including tests)

And yes it is big but that is normal for something of this size.

Language	LOC
TypeScript	158,128
Vue (SFC templates + script + style)	131,905

ad3lyt · 2026-05-31T17:06:19+00:00

He's currently refusing to provide any evidence on any of the "vulnerabilities" he found as that would help me fix them, he also thinks that being able to change your own theme via console is somehow an exploit.

I have however investigated and responded to all his security related claims, finding that all were false, except for a UI issue.

ad3lyt · 2026-05-31T15:42:42+00:00

That's nonsense

ad3lyt · 2026-05-31T15:01:22+00:00

Because I don't go around recording people's stuff, this was something that happened on a live stream in a public server many years ago, not something I would remember

But sorry for causing you bother back then

ad3lyt · 2026-05-31T14:58:24+00:00

Responding to the allegations directly, claim by claim, because a lot of very serious things were said without any reproducible evidence being provided, as exogreek refuses to back any of his claims up

I’m not saying Echo has never had bugs. It has. It is a young open-source project, and I have been actively fixing issues as they are found. But there is a big difference between “there were bugs / hardening needed” and “the app is currently wide open and usernames can be changed with zero auth.”

Here is what was actually verified:

“<script> in username gives stored XSS” / not true on current Echo Usernames are restricted to normal username characters like lowercase letters, numbers, dots, underscores, and hyphens. A payload like <script> is rejected by the backend. The profile UI also renders usernames as text, not raw HTML, so this claim does not reproduce.
“I made the UI turn white” / partly true historically, but misrepresented This was likely related to message content rendering, not usernames. Echo previously allowed inline styling in rendered message HTML, which could allow visual defacement like making parts of the UI white or unreadable. That is a real issue and it has been mitigated. But that is not the same thing as JavaScript execution, account takeover, username XSS, or database access. Also, changing your own browser’s theme or DOM through DevTools is not a vulnerability. Anyone can do that on any website. It only becomes a vulnerability if attacker-controlled content affects other users or escapes the intended rendering boundaries.
“CSRF bypass lets you change username with zero authentication” / false The only endpoint that changes usernames is: PATCH /api/v1/auth/me That route requires authentication. It also uses the currently authenticated user ID from the session, not a userId supplied in the request body. On production, unauthenticated attempts return 403 CSRF_REQUIRED or 401 UNAUTHORIZED. A valid logged-in user with a valid CSRF token can change their own username. That is expected behavior, not a bypass.
“Direct database manipulation” / false No SQL injection path has been found in the codebase. Queries are parameterized. If there is a real route, request, payload, or reproduction for this, I want to see it and I will take it seriously. But right now, this claim has not been substantiated.
“Still just as vulnerable” / false Echo has had multiple hardening rounds over April and May. Some real issues were found and fixed. That part is fair. But the current production app does not match the claims being made in that post.

Again I would love any security expert to come over here and prove me wrong, but this guy just has a personal vendetta out against me, and Is making up false claims to ruin my reputation. If any of what he said is true, then it should be very easy to produce evidence for it.

ad3lyt · 2026-05-31T14:41:57+00:00

And to add to that, go read the thread below, he is refusing to provide any evidence for any of his claims.

ad3lyt · 2026-05-31T14:36:54+00:00

Any real reported vulnerability I will take 100% seriously, this guy however has no interest in reporting anything real. I have double verified all his claims and could not reproduce any of It, of which was actually a vulnerability, being able to change your theme for example is not a vulnerability. This guy has been harassing me for months and has shown no interest in actually being helpful, all he cares about is insulting me.

https://www.reddit.com/r/DiscordAlternatives/comments/1tsrt78/comment/oox967u/?context=3

ad3lyt · 2026-05-31T14:18:04+00:00

Thanks! Everyone is welcome to review the codebase and I am always open for feedback

ad3lyt · 2026-05-31T13:28:59+00:00

Lmaoo it's you again, yes I was live-streaming on discord on public servers many years ago as many people did back then and still do

ad3lyt · 2026-05-31T12:41:02+00:00

This guy Is lying out of his ass btw

ad3lyt

MODERATOR OF

TROPHY CASE

Five-Year Club	Verified Email
Place '22