Native QR Code Scam Protection

Comments

29 comments

  • Ezayfund

    You have to make sure you are scanning it FROM DISCORD!

    -3
  • Lutonite

    Technically, detecting whether the QR code is scanned from the Discord site is close to impossible.

    A simple trick would be to regenerate the QR code every 20 seconds, that would make it close to impossible for the scammer to share it to someone else.

    6
  • Royal_Administration

    This is a serious security issue, and has some serious vulnerabilities, discord is most likely aware of this issue and finding a way to fix this issue to make discord a more secure platform. But, you must keep in mind that you are responsible for your discord account, scanning a QR code claiming to give free nitro is not a good idea, you are responsible for all of your actions on your account, and discord should not be held responsible for you scanning a random QR code.

    -5
  • Kazuma

    I already was hit by it and they have my server I hope I get it back 

    0
  • ThaCrypte

    They could just scan files that are being uploaded and see if it contains a discord authentication QR code and if it does, block the file. 

    1
  • Artemis

    Just label the "Scan QR Code" button to indicate that it is used for logging in...

    1
  • PatPeter

    I hope you get your server back Kazuma. I would go ballistic if a new Discord feature that I had no knowledge of lost me my server.

    0
  • Kazuma

    its 4k server I worked on for years full of my friends and memories I reported it I hope I get it back

    0
  • ave

    I dislike many actions of discord and think that they can improve many things, however I do not see any fault on discord in this specific situation.

    This is industry standard handoff procedure. Whatsapp and signal both do this.

     

    Discord even has a dedicated modal to deal with this (on Android 10.1.9, I've been told that it's different on iOS, only saying "Almost There" and "You have unlocked the magic pass to login on your computer! Confirm that it's you on the PC."):

    > Are you trying to log in on the computer? [in bold]

    > Only scan QR codes taken directly from your browser. Never use a code sent to you by another user. [in red]

     

    Only improvements I think they might be able to do is making it so that:

    - There's a delay between the QR code scan and the "Yes, log me in" button being usable, preferably long enough (30s) that users get bored and read the text, and deny request.

    - Users can report QR codes during this time, so that scammers can be directed directly to T&S.

    - QR codes on the webpage can get shuffled rather quickly, 10 seconds or so, so that a scammer wouldn't be able to put out a long-living one in DMs or so. Having someone send an image every 10 seconds would get most people suspicious I'd say.

    - Requiring multiple QR codes to be read after the first one is read, maybe just two should be enough.

     

    Your recommendation of automatically scanning any and every image for a QR code is NOT technically viable, especially at the scale of discord.

    10
  • Populeux Music

    Just change your password if they gained access and enable 2FA

    -6
  • Siguy

    2FA doesn't work as they get direct access to your account. And changing the password either because they already got access.

    2
  • HonestAuntyElle

    @ave they already have basic image processing for nudes / nsfw / images matching known fuzzy hashes of child exploitation content. Automatic parsing of qr codes by comparison is trivial.

    -1
  • ave

    SiguyGamer: still helps with preventing guild transfers and deletions, as those require 2FA. 2FA is good practice and you should use it everywhere.

    ryantheleach: First off, checking the whole image for QRs and parsing them all is more intensive than hash comparison. Secondly, it's not a proper solution, because

    1) Attackers can for example still, say, link to a page containing the QR, show it on a go live, etc etc, possibilities are endless.

    2) External images are not scanned in any way. Only images that are uploaded to discord are checked for sexual content, viruses and child exploitation content.

    Even if you could theoretically scan everything, just look at how (in)accurate the sexual content filter and the virus filter on discord are, and decide for yourself if this'd be a good idea or not.

    0
  • Spartacus

    Processing images and looking for QR codes on Discord itself isn't much, it can spread outside Discord, other apps use QR code as way to add a friend instead of typing usernames, someone can get tricked into giving their account away by just thinking that it's for adding a someone to friend list. Simple warning saying what scanning QR code does would be enough.

    -2
  • Techpriest

    @ryantheleach - Discords nsfw filter has never worked for me outside of censoring things that decisively _weren't_ NSFW.

    0
  • Anonymus

    Why not remove the feature temporarily?

    -2
  • DD_HD

    But if you scan a Code, Discord ask you if it is really your Desktop you are going to lockin so where is the Problem?

    2
  • NorthernSystems

    Thinking about the average age of discord's user base, with a large majority of it being under 18 (I am aware there are under 13's, and Discord's ToS says no, don't shoot the messenger), due to the aim of discord to be for gamers, not every Under 18, or over 18 is that tech savvy, so having a QR code scanner and saying "Hey, scan this code and it'll give you free ****", that bypasses all security setups and allows for full access without personal verification, then it's a pretty big worm hole for something on the scale of Discord.

    If it worked in corroboration with some sort of built-in verification to the mobile device (biometrics scanner, passcode etc) then it would be more secure, but at the moment, it is a very vulnerable loop hole.

    0
  • Nessy

    Qr-code scamm is old news? You guys still believe in free Discord-Nitro giveaways? Nothing in the world is 100% free. People who have no experience with social media fall for it.

     

     

     

    3
  • ThatProgrammer

    I'm going to say this now. Discord should have put more time and effort into making this more secure. One of those reasons being that accounts with 2FA should still have to enter their 2FA Code, or at least if you're going to make it bypass both, give users the ability to choose how the feature works and what is still required if the QR Code is scanned. 

    Honestly in my honest opinion, this feature seemed rushed to be added without consideration of the user base that Discord has.I feel like this has to be fixed asap. 

    0
  • ;?

    Just get rid of QR codes PERIOD.

    -3
  • JM_ThePuertoRicanKid

    How can we avoid the QR code scams? 

    0
  • Kupo

    Don't scan qr codes that aren't from the login page on discord. Don't click on suspicious links. If you use your ~discord login~ information for something that isn't a ~discord login~ page, you deserve to have your account stolen.

    -2
  • Dojnaz

    Discord can programmatically scan all images uploaded to see if they contain a qr code that is one of the login ones

    0
  • ™Dog Bot™

    @147loch It actually is not impossible you have to code the computer to see what app it is supposed to open!

    1
  • Isn't this a false spam thing that's going around the internet???

    2
  • What if there was also a code system. I mean like an IP verification system.

    Example:
    When you scan the QR code from device 2, it tells the computer that it has been scanned. Device 2 searches for it's IP and sends it back to the computer. Then device 2 provides it's IP which will have to be entered into the computer to verify it's you by IP.

    0
  • NorthernSystems

    @ V̴̍́i̸̓̕n̸̽͆c̴̊̍e̴͛̇n̶͒̆t̸͌͌

    That would be viable, however think of the user base of Discord. Not all users are the savvy and will know, let alone understand what the buch of numbers on their screen is. It would be good to work in conjunction with 2fa apps (Google Auth, Microsoft Auth etc) but IP validation is a bit far fetched for the average gaming user.

    1
  • aiko 🙏🏻 痛み itami

    Yeah but changing ur password in less than 2 minutes can help, only 2 or 3 minutes cuz if they dont change ur password fast u can log them out 

    0

Please sign in to leave a comment.