Discord Tokens
At the moment, I'd say there's quite a large problem which is "Token Logging" - Usually someone will run a malicious program and their token will be remotely sent to a user.
I think Discord should make it so requests to the Discord API by the Discord Client will only be authorized if it is by the IP that logged in and validated said token, it will stop many of these attempts.
-
So in your world, Man-In-The-Middle attacks clearly don't exist.
You can go on about how it would be hard to do, but not really if you have a close connection to the person, or access to their phone/pc. You can install a root certificate, issue a certificate for Discord, and siphon everything sent to and from Discord. This includes tokens, as well as passwords, (possibly) phone numbers, and more.
I've done this to myself on pc, and mobile, so it is definitely possible. There is not a reliable way to prevent this. Certificate checks fail as soon as you're behind a network with a firewall that replaces all certificates, which is a MITM attack, but is perfectly valid. There really isn't anything you can do about this.
3 -
Also, yes, ip checking would work in some situations. But if something gets your token, what's stopping it from using that token to change your password on the fly? An antivirus? Clearly not if it got the token in the first place.
2 -
inspect element, listen over the network
2 -
you know they can make it look like it's coming from the mobile client and there will never be a true fix or a way to protect the token so yeah
1 -
it would have to be accessed by mobile it seems like you don't know how to discord client works
1 -
it doesn't generate a token it accesses the token and then stores it
1 -
it will still be the same token it doesn't change unless you change your password
1 -
still the same it's the same token explain to me this how can a user bot work everytime it logs in without generating a new token how would it get the new token if it was regenerated you would have to post the new token each time for the user bot to work but it continues to work with the same token it's basically logging in the same like the client
1 -
no unless they change their password because I seen people run a user bot without having to change the token once
1 -
whatever you're not seeing what I'm saying you're just being stupid
1 -
PENGUIN114 The last I checked users tokens don't regen every log-in, this would be completely pointless so they just don't do that. I feel like your getting mixed up with the way Roblox tokens work.
1 -
maybe my discord is just broken.
anyways having tokens being able to be grabbed and accessed so easily is definitely a security flaw.1 -
How do you find a discord token on pc? I'm slow, lol, and I can't find it.
1 -
i’m still token logged and i hate it
1 -
First of all the token is not stored in application local storage, and they keep moving it, I find it in the network tab of chrome or chromium and I find the science tab and I look in the request payload to find my token, you can also find your spotify token too. either way the token does NOT change upon logging out and logging back in, the Token is a derivative of your client_ID and client_Secret and if you have those then you can generate tokens either way its not going to help because for one yes mobile users have inconsistent IP address's and the fact that just marking the token as a mobile user doesnt do much,because you can still mark a token you generated as a mobile one or something
0 -
I have a question, some guy did .token @Pixums and a token popped up! Is that real or not because it seemed like he tokened me. I changed my token ofc but i'm still scared
0 -
pix that's just a randomly generated string that matches the token regex.
0 -
Yeah he basically took the 1st half of my token and acted like he was hard LOL, we all got into a group chat and me and my friend clowned everyone. They were saying they were going to swat me or something. Couldn't do anything lolol
0 -
Not sure why you would need it tho :/
0 -
https://support.discord.com/hc/en-us/community/posts/360049324394/comments/360013218994
it's because you are logged in via 2FA. Thats the only reason your token would change every log in. :facepalm:0 -
Yo, tokens dont regen with every login, i used to use my tokens to log into my accounts since i had lost my password, i used the same token for about 6 months and it never changed, having it regen with every login would be quite stupid since your token is the way discord knows how you are while in application, making a new one everytime you log in would mean you would be kicked out on all other devices you logged in everytime you log in, also binding it to your ip is not a solution of any sort, because that would mean you would need to re log everytime you use a vpn/proxies, which is annoying especially for any sort of developer
0 -
can someone help me i think i have been token logged this person keeps on getting on to my account even if I make a new account how can I delete the token logger and get rid of this hacker. the hackers main accounts name is iota!#0001 if that's important.
0 -
Try it.
-1 -
They don't work consistently due to what I said.
People have to manually update it all the time.-1 -
"you've seen people"
yes yes, because people definitely say "oh look my token changed! let me update my token in my selfbots configuration!"-1 -
On the latest PTB build it is located in local storage and the token is regenned when you log in. If someone manually marks their token as mobile, then that's their fault, they shouldn't have done that if they wanted their token to be protected.
-1 -
I'm too simple minded to understand anything you said
-1 -
If its created by mobile, not accessed.
-2 -
also please use some sort of punctuation, it's getting really hard to read.
-2 -
It has been 2 days since I contacted Discord about this issue. My account was stolen and the info was changed. And over $40 of gifts and boosts were bought. I no longer care about the account. I would like to get the $40-50 that was spent back. If possible I would also like to speak to human support, Please help !
* I have been token-logged before and gotten my account back but somehow my email and password were changed to, but like i said i no longer care about my account i just want my money and phone number back. Please connect me to REAL HUMAN discord support not automated messages that don't help.
-2
Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.
Kommentare
35 Kommentare