Discord: Multi-Factor Authorization, “pfishing”, and a false sense of security

Preamble

In the digital age we are almost entirely dependent on the internet for the most things that we do: Shopping, entertainment, work or plain simply communicating with other people — these things usually require the user to make an account or in some form to identity oneself, so that most of the things that person does is tied to that person’s account. That’s why your accounts allow a platform identify that you are actually you. And that “identity” has to be kept secure so that only the owner could use said “identity” — this is usually done in a form of Login+Password authorization.

However, there can be multiple reasons a malicious actor might want to take ahold of your identity and do actions on your behalf, the attacker can use a plethora of methods to obtain your credentials to gain access, be it phishing, gaining access to the device with these credentials or, in the most extreme case — breaching the platform itself.

This article focuses itself on the former, and regarding a messaging platform called Discord.

What?

Discord (discord.com) is an instant messaging and VoIP application, which markets itself to gamers and communities to communicate with each other in chat rooms called “Servers” (Internally referred as “Guilds”). Launched in 2015, the platform is estimated to have had 350 million monthly active users in 2021. With such a large amount of users using the platform on a daily basis there is huge potential for bad faith actors to exploit and take advantage of it’s users, more-so when in 2017, a paid subscription service called Nitro was added with the ability to add a credit card and later PayPal, enabling monetary incentives for malicious attackers.

Authorization

All users that wish to use Discord are required to have a username and password to be able to log in, with an optional “two-factor authentication” (2FA) method[1].

Ex. 1: Discord Two-Factor Authentication

The 2FA itself is a pseudorandomly generated passcode, which uses a generated token on the server and client, which is used to generate a One-Time Password (OTP), which is based on time. OTP’s usually “live” (valid) for a short amount of time, usually 30 seconds.

However, technically speaking — Discord already has its users use 2FA by default, because the platform accounts for the IP address of a user upon login. If a user is logging into an account from a new IP for the first time — Discord will not allow that person to authenticate and will notify to check email[2] to authorize the IP to log in.

Ex. 2: Discord detecting a new IP

It should be noted that worst case — the password for the email is the same for the discord account, therefore the attacker can verify himself anyway, thus making this 2FA method pointless.

Enabling OTP authentication will disable this check, therefore you can’t have a third factor of authentication.

In case the token is lost for the client — the user can use one of backup codes provided to be able to login anyway[3].

Ex. 3: Discord 2FA login prompt

Backup codes on discord are one-time, have 8 random lowercase alphanumerical characters and there are only 10 of them. The user is able to generate new codes at any time[4].

Ex.4: 2FA Backup codes. Checked box means it was used.

In case if backup codes are lost too — the user can have a backup authentication method by SMS[5]. This will also make your account phone verified as it requires your phone number.

Ex.5: SMS Backup Authentication

Upon login the client is given an “authentication token” which is used to perform API actions of the application on behalf of the account the account belongs to. In simpler terms — it’s your passcode to be able to do anything on the platform: sending/receiving messages, joining servers, talking with people in voice chats, etc.

Your login/password+2FA is what tells the application that you are who you claim to be, and everything you do on the platform uses the authentication token instead.

Safeguards

Several functions on Discord require some form of authentication to occur, for example: Changing your username/tag on your profile, changing the phone number, deleting servers, etc.

Most require your password to go through, but some (particularly server-related actions can require your OTP 2FA instead, if it’s enabled[6].

Ex.6: 2FA code prompt on attempt to delete the server

A Discord server can be configured to require anyone with moderation powers to enable OTP 2FA. This is done to not allow a scenario where an attacker takes control of an account which has moderation powers in some server to abuse them and cause harm to said server.

But, peculiarly, important actions like gifting Nitro subscriptions do not require Discord 2FA to be executed. This is most likely intentional as identity confirmation should be done on behalf of the bank using technologies like MasterCard ID Check[7][8].

Ex.7: Discord waiting for authentication
Ex.8: Bank authentication window

Faults

Discord, as any platform, is not perfect. It’s authentication methods can be put much scrutiny.

The general thought behind Discord authentication is that if you are already authenticated in any way possible — you don’t need to re-verify who you are.

This is greatly exemplified with the QR-code method of authorization (internally called “Remote Auth”), which asks the user “is this you” with simple “Yes” or “Cancel” buttons on your phone[9].

Ex 9: Remote Auth. prompt on a phone

Upon clicking “Yes, log me in” — Discord allows the user to log in from the device requested in Remote Auth.

Phishing

As the years pass, and with an advent of OTP 2FA the focus has shifted from targeting usernames and passwords to authorization tokens. This is because login and password is only “what you know”, and without a 2FA OTP (“what you have”) they are basically useless.

Obtaining a token in any way possible allows a malicious actor to essentially bypass any security measures the user has put in place and perform actions on their behalf.

The most popular method of getting a token is through Remote Authorization, and luring victims of a fishing attack through in-platform messages claiming to have been sent a discord gift, which lead to an external site which looks like the discord login screen[10].

Ex. 10: Fake discord gift screen

One may say “These fake websites look horrible, how could one even fall for them?”. But people, even if a small percentage, do fall for a phishing attack like this.

This is because it is the most low-effort way of tackling the task, because there already done libraries and applications that support QR-code generation and data gathering[11].

Ex.11: A simple RA client written in python

Assume a fake website has a 5% success rate: so out of 1000 people — 50 will fall for it, and these attacks are run on multiple thousands, if not tens of thousands of users.

This method entirely ignores login and password and leads the victim to believe they’re not exactly giving up anything, because the password is a non-factor. The false sense of security provided by Remote Authorization approach is what gives the method a higher rate of success compared to straight up asking for logins and passwords.

Some still offer a user login/password method of authentication, to simulate a discord login screen almost identically[12].

Ex. 12: Fake discord login screen (Name of the user removed digitally)

Breach

Depending on the motives of an attacker, different things can be executed on behalf of the victim — most of the time usually it’s trying to buy gifts (which do not require any 2FA validation from discord).

Here’s a general list an attacker can do only knowing the token:

  • Buy gifts (assuming bank-side verification is not enabled, which it is not more often than one would think)
  • Change avatar
  • Send/Receive messages, join voice chats, do most interactions on your behalf
  • Execute admin powers on any server the victim has moderation powers even if they have moderation 2FA on
  • Authenticate on other platforms that have discord as an available login option

There are very few things discord actually does stop the user from doing without knowing the password/OTP code. They are mostly “mission critical” actions, which were mentioned above in “Safeguards” section of this article.

Discord rarely takes action against these attacks and has a “you did this to yourself” attitude, according to multiple people interviewed for this article. There have been recorded cases of refunds from breaches, but they are few and in between. As for server deletions/raids — there have been no known cases to me or anyone I asked of a deleted discord server being restored.

Summary

Discord in general does not try to protect computer illiterate or otherwise unaware users from being phished and having their accounts taken over and rarely reverses the damage being done.

Furthermore, a conclusion that Discord doesn’t care about the security of its own authentication process to not allow malicious actors do harm. Making something crucial as payments not require any validation on the side of the platform and unresponsiveness to refund these purchases may invoke suspicions of shady business practices as well.

From this we can conclude that Discord does not care about the security of its users and at times benefits from the digital ineptitude of its users.

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Волшебный Фонарь Hack Free Resources Generator

{UPDATE} Joulu Fashion Spa Salon Hack Free Resources Generator

Task -5 Cyber Crime investigation using Confusion Matrix

The Password Bypass Leads to Full-Account-Takeover

{UPDATE} Solitaire Now Hack Free Resources Generator

The Cash Register is back — In Your Phone, and in Your Bank Account

Welcome to the final step of our Ultimate Primer for HIPAA Compliance.

Cyber Threat Intelligence (CTI) Podcasts

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sylvie Juneau

Sylvie Juneau

More from Medium

The Road to Curing Recessive Dystrophic Epidermolysis Bullosa

Want to know about 🦍Bybit's Launchpad🗒️ And Launchpool🏊🏻‍♂️

Fake News Essay

How to Fix “DLLRegisterserver Was Not Found” Error on Windows 10