Allow custom/modded interface
I'd like to start the """petition""" (so to speak,) to repeal the ban on custom/modded UIs. I couldn't find an existing thread about this per se.
I think I'm referring to the following excerpt of the ToS:
… The Service provides a chat and social platform.… You agree not to (and not to attempt to) (i) use the Service for any use or purpose other than as expressly permitted by these Terms;(ii) copy, adapt, modify [or] prepare derivative works based upon … the Service or any portion of the Service …
but I am referring to whatever it was that the Twitter thread is referring to.
Being free to control the way we interact with a service is a crucial aspect of respecting users' autonomy. Being forced to choose between interacting with it a certain way, or not at all, is severely limiting; and the endless stream of complains about this or that UI problem which has been imposed on the users in the latest update is just one symptom of this.
I hate being bound to this service's buggy, paternal UI which makes so very many, so very wrong assumptions about the way I interact with my communication platforms. It makes me frustrated every time I use it, and sad that inertia keeps it as the Schelling Point for online communities.
This one simple policy change (not even a technical change!) would put a hard lower bound on how awful the Discord UX can get. I think it would improve user recruitment, and reduce the cheering that will occur if/when Discord ever gets dethroned, as well as shifting that scenario's likelihood to happen much further into the future.
-
@squeegily,
Using Discords API with Discords own provided client to interact with it, is considered safe, since they have full control on what it does.
Using a modified Client to interact with Discords API makes Discord no longer have full control on what it does, thus making it impossible for Discord to make sure that their Users stay safe.
Edit (thanks Marco): Using a modified client introduces risks for a user in the first place since the authors of that client could've had free range of any modifications, such as keyloggers, token grabbers, selfbots (such as a quote plugin on betterDiscord that uses embeds counts as a selfbot) and probably other malicious stuff that non-suspecting and non-experienced users could not know about.
0 -
@Hope,
The risks you mention, such as "keyloggers, token grabbers...and probably other malicious stuff" is still, currently a risk with the state of the API.
Administratively banning the users from knowingly customizing their UI is not going to patch the security risk of malicious code. The API is as exposed as ever, and there's nothing stopping a malicious program from modifying, replacing, and/or [presenting itself to the user as] the stock UI.
The administrative policy against custom UIs does not protect the user against malicious code, which is a technical threat.
⸻
If "using a modified client...makes Discord no longer have full control on what it does", then Discord never had that control in the first place, since if a user runs malicious code, that malicious code will do what it wants irrespective of what the user is supposed to do.
Telling users "don't dial in via libpurple (even though we provided sufficient API access for it)" is not going to stop "free_nitro.jpg.exe" from taking over the account. Malicious code will just use what it's been given.
If the API is vulnerable, the only people who will listen when Discord says don't use it pls are non-hackers. The hackers will not respect this Administrative stipulation; they only care about what's been made available to them from a Tech perspective.
0 -
To necro or bring this thread back to life squeegily#7499 is absolutely correct. It's not going to stop people who "code" and BetterDiscord already is very user friendly you do not need to be a coder to use it and most of the people that do use it are not a coder.
Everyone wants to push oh security risk this and security risk that. But as OP mentioned: it won't stop the user level people who use discord from downloading a .exe that enables the dev console and completely rewrites how discord functions on a victims computer. That is able to be done cause discord provides access to a dev console and you can enable this in the SYS Registry.
There are two sides of the community of discord users that have knowledge in coding and experience that will either be malicious or the ones to protect others as much as possible from malicious people. The problem is the API exposure which wasn't suppose to be used for malicious activity but is anyway. Webhooks and all that jazz enables token grabbers way more than you think. Hell, even applications could technically grab a user's token. This is how people get caught up in server invite spams and get their account's overidden by a malicious server. Discord is too big to manage against that but there are people trying to protect users.
Don't ban modifications of a client from people because of things that are already happening. It's silly.0 -
Simple, No.
Having a custom UI (Modified Client), like BetterDiscord or others, can be seen as a security issue. Discord clarified that on their Twitter when a user speicifically asked that https://twitter.com/discord/status/1085271973180125185
-1 -
@Hope,
The "security issues" they cite exist because of the APIs they expose. Yes, an API allowing full control over a user's profile is (arguably) a "security issue"- one that already exists.
What is not banned:
- Using their API, exposing oneself to its risks
What is banned:
- Using their API in a way that directly improves the user experience
-----
If the Discord servers are locked to the Discord interface, and vice-versa, then there's a huge cost to getting everyone in a group migrated away. (You've got to choose software, and a server, and then get everyone to re-learn the new interface.)
But if they were already using e.g., Pidgin+libpurple to communicate on Discord, then (if they ever decide to leave) changing the host will be super simple, and Discord might be at risk of the users moving away.
It's not actually about "security"; it's about making sure that their platform is never integrated with any other in a way that might (eventually) lead to an outflux of (some) users.
-1
Please sign in to leave a comment.
Comments
5 comments