Major flaw with QR scan

Comments

53 comments

  • Felice

    You guys aren't being clear enough for the people who want to know why this allows accounts to be stolen.

    When you try to log in to a PC client, a QR code is displayed. The Discord servers sent this to the client, and it uniquely identifies that client on that PC if you scan it with your phone. If you do that, then the Discord guys have naïvely set it up so that you have now authorized that PC client to log in.

    What a-holes are doing is pulling up the client on their own PC, taking a screenshot of the QR code that identifies their PC client, and then posting the screenshot to others to scan. When someone scans it, the Discord servers think they were physically present at the PC and authorized it to log in, so boom, the a-hole is now logged into your Discord account on their own PC.

    (Was that so hard? Now people know why they need to be concerned.)

    Worth noting is that the mobile client does tell you, before granting access, that you're logging in, but it does a very, VERY bad job of explaining that you are giving a PC client full access to your account and that, if you weren't TRYING to use a QR code to authorize a PC client to log in for your own use, then you need to back out immediately and report the user who tried to scam you.

    34
  • Timardo

    If you are dumb, that doesn't mean it's ok to scam you. How is it not wrong to create something that could be this easily exploited.

    19
  • Lutonite

    2FA could still be described as "authorisation for the gift" from a scammer, or any other reason (which might be comple nonsense, but people will still fall for it).

    I think that this scam should be eliminated completely, by making it impossible to complete it. For this, we have to go back at the root of it: the QR code itself. A scammer is able to send his QR code because it stays constant for a long period of time (I haven't tested, but more than enough to have people fall for it). A simple trick to eliminate this scam would be to regenerate the QR code every 30 seconds, that would make it close to impossible for the scammer to share it to someone else in time for them to scan it.

    On a technical point of view, yes it involves generating a key on the backend which takes processing power, but I think that if other applications are able to do this, implementing a refresh method on the already existing auth key generator should be feasible and would remove this really simple scam trick.

    17
  • sniff122

    I would say that the easiest (and probably a bit crude) solution to this issue would be to still require 2FA for login. It wouldnt be that much of a hassle because you will already have your phone in your hands after scanning the QR code so it would then just be a case of opening the 2FA code app of choice.

    16
  • PairedPrototype

    Indeed a nice and useful feature, but by passing 2FA is not.

    MFA is designed on the principle that you have to provide multiple pieces of evidence to log you in. A QR code is just one, and then you're in. You are defying a security principle you've provided to your users that they have indicated they wanted by enabling it but, we are now back to a single factor despite it. Hell, they don't even need to know the username, email or password, you're literally giving them a master lock that accepts any key put into it and  they're sending that to unsespecting people.

    I want to see 2FA still enforced, or at least the option provided and enabled by default. Don't provide a security feature that has a flaw, it's just pointless.

    14
  • LosTigeros

    2FA (requires to switch apps) or just entering a proper number (or phrase) on the client (where you want to get logged in) that is randomly generated and is showing on phone with clear info like:
    "You'll be logged in on the side where given QR code was shown. If someone sent that code to you, it's a SCAM! In that case, please cancel this operation immediately and write to us a report describing the situation and a person who sent it to you."
    or something.

    It'll force the person that tries to scam you to get in touch with you and ask for that info. You'll get more time to see what's going on.

    8
  • matthew

    Really not sure how people are defending this. It's obviously a useful feature, the issue is that it completely bypasses 2FA and allows the hacker full access to your account regardless of the security you have setup on your account.

    8
  • Elliott

    The option only says 'scan QR code'. There is no indication that it has anything to do with logging in- no warnings, no nothing.

    8
  • Dunci

    I find this feature a major security flaw as it skips even 2 factor authentication.

    6
  • Dunci

    @Xiang Zhu this login features bypasses 2FA

     

    YOU WILL NOT BE ASKED TO ENTER YOUR 6 DIGIT AUTH CODE.

    6
  • Dkbay

    In my opinion the right way to fix this is only allowing QR code login on devices, that have been logged in normally PREVIOUSLY. So if you had logged in on your pc and logout, you'd be able to login with a QR code that is unique to you.

    That way others can't send you their qr code and get access to your account... 

     

    Also it shouldn't be able to bypass 2FA, that's bullshit then your account might as well not have it to begin with.

    6
  • David McGoat

    I reported this almost a month ago,  "Per our last message: unless you've shared your token with another person, it's not possible for someone to log into your account without access to both your login credentials to your Discord account and email address and clicking "Confirm Login" on the "New Login Location Detected" notification email. As stated in our Terms of Service, you are responsible for your login credentials and take full responsibility for the activities and use of your credentials. Based on your description of this situation, your Discord account was accessed due to account negligence and we will not be lifting the ban from the account. However, while we can not return the account per our policy, I have gone ahead and refunded this unauthorized transaction. Please allow up to 5-10 business days for the full refund to reflect in your bank and/or Paypal account. Let us know if there's anything else. Sincerely, Discord Trust & Safety Team"" 

     

    Discord does not care they banned my other account for telling them about it. 

     

    There is other ways for people to get access to you account but discord say they can not do it ( Clearly they are) 

     

     
    6
  • Unlocked

    Bypassing 2FA is obviously a problem. However, even requiring two factors wouldn't be enough here. The fact that a QR code can be innocuously passed to gain some form of authorization is awful. If Discord wants convenience, they should implement an automatic prompt into their app like Google does for 2FA. That would require a user to, on their own, accept a completely unprompted authorization request, which is much less of a concern than a user clicking a link or scanning a QR code.

    6
  • Elliott

    > I also want to know how scanning someone else's QR code can allow them access to your account.

    The 'log in with QR code feature' means that if someone scans the code, whoever gave that code has full access to the account (as if they logged in).

     

    This can be handy in some cases, but is easily abusable with social engineering.

    5
  • Broadway Pixels ®

    I honestly feel, it should still require a 2-step code if that's enabled, it shouldn't just log you in without even asking for it.

    5
  • Beatrice ベアトリーチェ

    I use it for convenience whenever my Discord on PC gets logged out and I use my QR scanner on my Discord app to log back in.

    Because it's an incredibly easy thing to do and it saves time.

    If it compromises a user's security, then I agree that there should be a solution.

    5
  • FAXES

    Can agree with that comment above. I think Google does a good job of this a similar system would be good and more secure in the Discord app. Even something as simple as Googles prompt to select the number displayed on the screen on the users mobile works.

    5
  • TZer0

    To clear up any confusion (because I see a lot of it in this thread):

    The hacker shares a QR code that the victim scans. This logs the victim's account in on the hacker's computer, not the other way around.

     

    There are a few issues here, allow me to list them:

    1. This was never an opt-in feature. This got enabled for all accounts without any warning and no explanations. This is further compounded by point 3.

    2. This turns something that used to be potentially 2FA (if you have an authenticator of sorts) into 1FA. Sure, you're authenticating this login using an already 2FA authenticated device, but it is still a one-factor login for that new device. In my opinion, it sounds like a bad technical decision to not at least require 2FA as an additional security precaution. People are much less likely to share such codes with strangers than say scanning a random QR code - a thing which is compounded by point 3 below.

    3. The option on the phone should be renamed from "Scan QR Code" to "Log In Via QR Code" as the former is not descriptive enough. All of this could've been avoided with this and maybe a warning in red text when clicking on this option.

    4. Discord could've also checked if the phone is at least geographically in the vicinity (by looking at IPs) of the computer client that's being logged in. This would've defeated 99.99% of all these attacks.

    5
  • Ohirsha Dawnbringer

    It's not really a useful feature. If you are already using your device to scan the QR code then you can pull up your 2FA on it just as well. It's an unnecessary feature that is making a security problem for accounts and should be immediately disabled.

    4
  • Glenfiddich

    I posted my thoughts on Twitter about this, and the TLDR is, really:

    • QR codes have a 2 minute refresh time, so this scam needs to be done in real-time
    • The Confirmation Screen is far too skippable
    • Bypassing 2FA is a terrible idea
    • Entering in an email address before generating a QR Code would nip most of the scam potential in the bud.
    • Showing the account name and # number on the QR Code Page after a successful SCAN (not acceptance) could leak data

     

     

    4
  • To answer @advancedlamb and anyone else asking how this works or why it gives the scammer YOUR account and not their own. Heres a video on reddit someone posted demonstrating the QR login process.

    https://www.reddit.com/r/discordapp/comments/eciaaa/heres_a_video_on_how_the_login_using_qr_code/

    Note that no credentials were entered, as others have explained - the QR code immediately grants access and logs the PC in. 

    4
  • AboundedBoar9221

    First off, let me just say this. Discord should not have released a feature that has to do with security without looking into flaws or issues that could lead to Scams and Hacking of others accounts. Accounts have payment information and other personal information so this issue should be top priority to Discord. Since they haven't stepped up and fixed this issue yet security is a major issue and they are violating their own Terms of Service (TOS). Discord NEED'S to fix this issue.

    4
  • KurtCobain

    Also, the lack of Discord staff responding to or posting ANYTHING about this is highly disturbing.  Please, Discord staff, do SOMETHING about this!

    4
  • KadotyGamer

    They could make a 2FA that is similar to what Google does on a device logged in to your account. After you scan the QR, you then get a notification saying a device is trying to log in to your account, do you want to allow this device access to your account? Yes or No

    Upon selecting Yes, account access is granted and that device is able to log in.

    If you select No, immediately denies access to your account to the other device

    4
  • OFF

    @advancedlamb

    "How does this end in them stealing anything?"

    > The fact that the user's account is stolen by that point.

    3
  • proto

    so i may have scanned a random qr code, if i have 2fa am i safe? or does the code bypass all that stuff

    3
  • Xiang Zhu

    @felice Thank you for explaining, it makes more sense now.

    Edit: It does look like there's an additional step on the phone to confirm the login, but I can understand how this would be easy to just skip past for someone. This should indeed be fixed. Again, thank you for the simple explanation Felice. Much easier to understand how this is a problem.

    3
  • Vas

    Shadow_Hunter; I love how your first reply is so downvoted its made you look very unpopular. I also downvoted, because this is definitely Discord Team's fault.

    Its their job to protect people from hacking attempts and vulnerabilities such as this. They should have tested the new feature they added long before adding it to Discord. They didn't. Now they put their clients at risk of losing a lot of stuff, or worse. I hope this feature is removed from discord completely, forever. There is no reason to need to scan a QR code to login, thats just stupid. Worthless feature. Nothing but a security hole.

    I also hope that, this feature will end up costing them a lot of premium accounts. Losing income because they chose to release an untested dangerous feature. People need to start boycotting the support area now to demand this feature get deleted before it gets out of hand. Discord needs to take care of this immediately.

    3
  • advancedlamb

    at least from this we can learn that no matter how callous and arrogant people act, they can be objectively wrong. theres a reason the people justifying this arent software developers.

    2
  • TheGxBar

    Best solution to this issue is to display a two/three digit number on your phone after scanning the qr code, have you type in this two/three digit number in the discord website on the desktop to verify its you. If it's typed wrong, you get a notification of a failed login attempt and the qr-code login is disregarded and you have to scan another new qr-code.

    My suggestion here.
    https://support.discordapp.com/hc/en-us/community/posts/360056269072-Use-a-button-number-method-for-QR-code-signin-

    2

Please sign in to leave a comment.