Major flaw with QR scan
Hello, i have reported about 5 people now, for trying to scam our members to scan the login QR code to access their account, sent by the "hacker/intruder, one person already got scammed into this, i do think that there should be more security on this feature
Well its not really the discord teams fault that this is happening
People DO get a warning about scanning other peoples qr codes
So the only dumb ones here are the ones who ignore the warnings-63
If you are dumb, that doesn't mean it's ok to scam you. How is it not wrong to create something that could be this easily exploited.19
I would say that the easiest (and probably a bit crude) solution to this issue would be to still require 2FA for login. It wouldnt be that much of a hassle because you will already have your phone in your hands after scanning the QR code so it would then just be a case of opening the 2FA code app of choice.16
2FA could still be described as "authorisation for the gift" from a scammer, or any other reason (which might be comple nonsense, but people will still fall for it).
I think that this scam should be eliminated completely, by making it impossible to complete it. For this, we have to go back at the root of it: the QR code itself. A scammer is able to send his QR code because it stays constant for a long period of time (I haven't tested, but more than enough to have people fall for it). A simple trick to eliminate this scam would be to regenerate the QR code every 30 seconds, that would make it close to impossible for the scammer to share it to someone else in time for them to scan it.
On a technical point of view, yes it involves generating a key on the backend which takes processing power, but I think that if other applications are able to do this, implementing a refresh method on the already existing auth key generator should be feasible and would remove this really simple scam trick.18
2FA (requires to switch apps) or just entering a proper number (or phrase) on the client (where you want to get logged in) that is randomly generated and is showing on phone with clear info like:
"You'll be logged in on the side where given QR code was shown. If someone sent that code to you, it's a SCAM! In that case, please cancel this operation immediately and write to us a report describing the situation and a person who sent it to you."
It'll force the person that tries to scam you to get in touch with you and ask for that info. You'll get more time to see what's going on.8
True 147loch they should have another step where on the pc u need to enter a code shown on the screen of the phone
But if u somewhat exit discord then the code changes
So they would have to be in a phone call or something to make it work then but if not then it wont work-3
Really not sure how people are defending this. It's obviously a useful feature, the issue is that it completely bypasses 2FA and allows the hacker full access to your account regardless of the security you have setup on your account.8
It's not really a useful feature. If you are already using your device to scan the QR code then you can pull up your 2FA on it just as well. It's an unnecessary feature that is making a security problem for accounts and should be immediately disabled.4
This is the very definition of a non-issue, for one major reason:
When you scan a QR code, you are immediately prompted on the phone to confirm that you wish to log in using that QR code.-9
how does this work? the qr code logs you into an account: if a hacker gives you their qr code all they're doing is letting you have their account. how does this end in them stealing anything?-7
Indeed a nice and useful feature, but by passing 2FA is not.
MFA is designed on the principle that you have to provide multiple pieces of evidence to log you in. A QR code is just one, and then you're in. You are defying a security principle you've provided to your users that they have indicated they wanted by enabling it but, we are now back to a single factor despite it. Hell, they don't even need to know the username, email or password, you're literally giving them a master lock that accepts any key put into it and they're sending that to unsespecting people.
I want to see 2FA still enforced, or at least the option provided and enabled by default. Don't provide a security feature that has a flaw, it's just pointless.14
"How does this end in them stealing anything?"
> The fact that the user's account is stolen by that point.3
so i may have scanned a random qr code, if i have 2fa am i safe? or does the code bypass all that stuff3
But how does the QR code actually allow them to steal anything? If they post their QR code, you'll access their account. The only way for them to access your account is for YOU to post YOUR QR code.
Does this QR code take them to a website that scrapes additional authentication credentials?
Where is this 'login' QR code found? Show this 'exploit' done in a practical situation, not just 'it just lets them in, omgerd!". If they don't have your code, how does it let them into your account.-5
I also want to know how scanning someone else's QR code can allow them access to your account. Can someone enlighten us a bit more than "the fact is that it just is" please?1
First of all there is a massage on the mobile to indicate that this is a connexion think once the user scanned it, users should click on cancel if they do not attempt to connect.
Secondly, QR code are only usable for 10 mins, it means if you see a QR code 10 minutes after the message it don’t work anymore.
To avoid scams 5 thinks to do:
- Never scan thinks that are not from the app itself.
- Never click on suspicious link.
- Never trust an email from Discord that not end with @discordapp.com
- Have a strong and unique password.
- Do not edit you client or let apps edit your client.
Once you understand that you account is safe.-2
The option only says 'scan QR code'. There is no indication that it has anything to do with logging in- no warnings, no nothing.8
> I also want to know how scanning someone else's QR code can allow them access to your account.
The 'log in with QR code feature' means that if someone scans the code, whoever gave that code has full access to the account (as if they logged in).
This can be handy in some cases, but is easily abusable with social engineering.5
I find this feature a major security flaw as it skips even 2 factor authentication.6
You guys aren't being clear enough for the people who want to know why this allows accounts to be stolen.
When you try to log in to a PC client, a QR code is displayed. The Discord servers sent this to the client, and it uniquely identifies that client on that PC if you scan it with your phone. If you do that, then the Discord guys have naïvely set it up so that you have now authorized that PC client to log in.
What a-holes are doing is pulling up the client on their own PC, taking a screenshot of the QR code that identifies their PC client, and then posting the screenshot to others to scan. When someone scans it, the Discord servers think they were physically present at the PC and authorized it to log in, so boom, the a-hole is now logged into your Discord account on their own PC.
(Was that so hard? Now people know why they need to be concerned.)
Worth noting is that the mobile client does tell you, before granting access, that you're logging in, but it does a very, VERY bad job of explaining that you are giving a PC client full access to your account and that, if you weren't TRYING to use a QR code to authorize a PC client to log in for your own use, then you need to back out immediately and report the user who tried to scam you.34
It's not something that can be abused in that fashion. Again, if they post a random code, or a code generated by an 'attacker', it won't give them anything having to do with your account because your code is unique to you. You would have to give them your code, which would be highly unlikely that anyone would do that. And if it's used in a 2FA scenario, it means you'll have to authorize that QR code login with your phone's authenticator app. It sure doesn't sound like anything is being bypassed.-14
@Xiang Zhu this login features bypasses 2FA
YOU WILL NOT BE ASKED TO ENTER YOUR 6 DIGIT AUTH CODE.6
@felice Thank you for explaining, it makes more sense now.
Edit: It does look like there's an additional step on the phone to confirm the login, but I can understand how this would be easy to just skip past for someone. This should indeed be fixed. Again, thank you for the simple explanation Felice. Much easier to understand how this is a problem.3
That's... An interesting setup. Thank you @Felice1
I posted my thoughts on Twitter about this, and the TLDR is, really:
- QR codes have a 2 minute refresh time, so this scam needs to be done in real-time
- The Confirmation Screen is far too skippable
- Bypassing 2FA is a terrible idea
- Entering in an email address before generating a QR Code would nip most of the scam potential in the bud.
- Showing the account name and # number on the QR Code Page after a successful SCAN (not acceptance) could leak data
In my opinion the right way to fix this is only allowing QR code login on devices, that have been logged in normally PREVIOUSLY. So if you had logged in on your pc and logout, you'd be able to login with a QR code that is unique to you.
That way others can't send you their qr code and get access to your account...
Also it shouldn't be able to bypass 2FA, that's bullshit then your account might as well not have it to begin with.6
I reported this almost a month ago, "Per our last message: unless you've shared your token with another person, it's not possible for someone to log into your account without access to both your login credentials to your Discord account and email address and clicking "Confirm Login" on the "New Login Location Detected" notification email. As stated in our Terms of Service, you are responsible for your login credentials and take full responsibility for the activities and use of your credentials. Based on your description of this situation, your Discord account was accessed due to account negligence and we will not be lifting the ban from the account. However, while we can not return the account per our policy, I have gone ahead and refunded this unauthorized transaction. Please allow up to 5-10 business days for the full refund to reflect in your bank and/or Paypal account. Let us know if there's anything else. Sincerely, Discord Trust & Safety Team""
Discord does not care they banned my other account for telling them about it.
There is other ways for people to get access to you account but discord say they can not do it ( Clearly they are)6
To answer @advancedlamb and anyone else asking how this works or why it gives the scammer YOUR account and not their own. Heres a video on reddit someone posted demonstrating the QR login process.
Note that no credentials were entered, as others have explained - the QR code immediately grants access and logs the PC in.4
I honestly feel, it should still require a 2-step code if that's enabled, it shouldn't just log you in without even asking for it.5
I use it for convenience whenever my Discord on PC gets logged out and I use my QR scanner on my Discord app to log back in.
Because it's an incredibly easy thing to do and it saves time.
If it compromises a user's security, then I agree that there should be a solution.5
Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.