Restict users and bots from accessing the server's entire user list when using the bot API.

omnicons

• July 19, 2019 06:09
• Edited

It appears that bots and by extension user bots are able to access a server's entire user list when using the bot API, bots and userbots should really not be allowed to do this as it prevents us from restricting spammers who join a server from spam DMing non-staff members of the server, and especially with the bots that are spamming NSFW content to our primarily teenage audience it's really inappropriate and there's not much we can do to stop it.

I know userbots/selfbots are against ToS but these spammers really don't care about that and this should likely be a feature added to tighten the security around bots and the API so that server permissions are properly upheld.

I know there is already a feature in the client to not allow users to DM you from a server if they're not friended, but the average user doesn't have that enabled and lots of people don't actually like having that enabled since they like talking with random people from the server. However noone likes spam, so it's a bit of a conundrum to actually recommend people enable that since it cuts of legitimate avenues of communication by forcing users to friend other users when they might not necessarily want to, (and that bypasses the user's own privacy settings entirely if they're forced to friend everyone they want to DM).

13

• 

  aziz

  • January 18, 2020 03:26

  This has to be fixed by Discord ASAP as it is a major security flaw IMHO. Anyone who joins should not be able to gain access to the entire members list or whatever Discord sends in the compressed response when the initial public channel is locked to unverified users.

  2
• 

  omnicons

  • July 19, 2019 12:59

  Unfortunately not true. We're at the highest level of verification, and while the bots aren't able to send messages in the server, they're able to spam people in our server with NSFW content in DM.

  1
• 

  Blue

  • July 19, 2019 11:25

  you can prevent users without a role from DMing people when they first enter a server by increasing the verification level of it in the server options. This won't fix the problem, but it'll give you a chance to help it

  0
• 

  pvtHenk

  • October 27, 2020 11:44

  Almost a full year later Discord still hasn't learnt how to protect their userbase from unwanted spam. If we turn on the highest level of verification, and they can just call the API to get the entire user list and spam them with DMs, then this is like aziz pointed out a major security flaw and MUST BE DEALT WITH.

  "Just tell members to close their DMs" is not good enough (referring to: https://support.discord.com/hc/en-us/articles/217916488-Blocking-Privacy-Settings-)

  0
• 

  liam

  • July 19, 2019 23:21

  Users can change their own privacy settings.

  -1

Please sign in to leave a comment.