[Suggestion] Members (and bots) shouldn't get the server's user list unless they have access to the channels the user list is visible in.

Follow

Kadaz

• February 24, 2019 17:42

After a long back and forth with Discord's support and minimal assistance, I've come to realize that security in the app is seriously lacking. 

Namely, apparently users/bots have access to the whole server's userlist through the API, regardless of if the new users are locked in a channel by themselves, without having the list visible to them. 

The consequence is that big enough servers have virtually no way of countering bots that PM members with invites/scam links, especially during a bot raid of hundreds of bots instantly PMing everyone at random. 

I suggested in the email exchange to make it so that people can only get the user-list of the channels that are visible to them sent to their clients. This kind of adds a layer of protection, since the admins can for example use a discord bot that assigns people a role granting them access to the main channels, by clicking on an emoji or saying "hello" in a landing channel. It also makes the use of special quarantine channels actually effective. 

Imo, this solution is far better than the commonly suggested server-wide setting of disabling PMs between all users, and a lot frendlier to privacy. 

Discord has evolved from being a means to communicate with your gamer buddies, to hosting gigantic gaming and non gaming communities with tens of thousands of members. However I think the moderation/privacy aspects of it haven't followed close with its rise, hence the point of this post. There are servers out there with tens of thousands of members that have to deal with this daily. 

33

• 

  Minnow

  • February 26, 2019 14:24
  • Edited

  I've also had issues with this, and instead of disabling all PMs this sounds like a great solution to the problem. Hopefully discord takes the feedback of its users seriously. 

  0

  Comment actions Permalink
• 

  Justo

  • February 26, 2019 16:19

  I've specifically been in contact with the discord community team and been informed that allocating users to roles only when trusted is the optimal solution to server spam.
  
  Only after this process did we determine that in fact, the bots just get the server list anyway.
  
  
  Discord might not have realized yet that the size of the platform they've created has (as is always the case) created ancillary businesses that aim to advertise utilizing the platform. There's groups that intentionally build and advertise information on discord if you pay them to do so, and many groups that attempt to do the same thing for themselves as they see it as a free and easy marketing system.
  
  Imagine for example if facebook was flooded with random people sending you advertising messages? Or for example if twitter had random people constantly messaging you about how you should buy this next great big thing.
  
  Sadly the choice these two companies took was just to force the advertisers to pay them to advertise to those random people. But discord still needs to take these lessons to heart.

  2

  Comment actions Permalink
• 

  Sagefox

  • February 27, 2019 19:28

  We've been raided by spam bots for weeks that DM people. They just keep comming. There is nothing we can do but ban them as they come ASAP but sometimes they come by the minute. This would give us some solution.

  2

  Comment actions Permalink
• 

  Column

  • April 10, 2019 17:52

  We've had our server plagued with spam bots like this too. If this is the case, then our attempt to stop it is going to fail.

  2

  Comment actions Permalink
• 

  Kadaz

  • December 13, 2019 01:29

  Bumping this since it's been almost a year and big discord servers are still a bot fiesta. 

  0

  Comment actions Permalink

Please sign in to leave a comment.