Allow custom/modded interface

Comments

5 comments

  • Hope

    @squeegily,

     

    Using Discords API with Discords own provided client to interact with it, is considered safe, since they have full control on what it does.

     

    Using a modified Client to interact with Discords API makes Discord no longer have full control on what it does, thus making it impossible for Discord to make sure that their Users stay safe.

     

    Edit (thanks Marco): Using a modified client introduces risks for a user in the first place since the authors of that client could've had free range of any modifications, such as keyloggers, token grabbers, selfbots (such as a quote plugin on betterDiscord that uses embeds counts as a selfbot) and probably other malicious stuff that non-suspecting and non-experienced users could not know about.

    0
  • squeegily#7499

    @Hope,

    The risks you mention, such as "keyloggers, token grabbers...and probably other malicious stuff" is still, currently a risk with the state of the API.

    Administratively banning the users from knowingly customizing their UI is not going to patch the security risk of malicious code. The API is as exposed as ever, and there's nothing stopping a malicious program from modifying, replacing, and/or [presenting itself to the user as] the stock UI.

    The administrative policy against custom UIs does not protect the user against malicious code, which is a technical threat.

    If "using a modified client...makes Discord no longer have full control on what it does", then Discord never had that control in the first place, since if a user runs malicious code, that malicious code will do what it wants irrespective of what the user is supposed to do.

    Telling users "don't dial in via libpurple (even though we provided sufficient API access for it)" is not going to stop "free_nitro.jpg.exe" from taking over the account. Malicious code will just use what it's been given.

    If the API is vulnerable, the only people who will listen when Discord says don't use it pls are non-hackers. The hackers will not respect this Administrative stipulation; they only care about what's been made available to them from a Tech perspective.

    0
  • Jhennifer Quinn

    To necro or bring this thread back to life squeegily#7499 is absolutely correct. It's not going to stop people who "code" and BetterDiscord already is very user friendly you do not need to be a coder to use it and most of the people that do use it are not a coder.

    Everyone wants to push oh security risk this and security risk that. But as OP mentioned: it won't stop the user level people who use discord from downloading a .exe that enables the dev console and completely rewrites how discord functions on a victims computer. That is able to be done cause discord provides access to a dev console and you can enable this in the SYS Registry.

    There are two sides of the community of discord users that have knowledge in coding and experience that will either be malicious or the ones to protect others as much as possible from malicious people. The problem is the API exposure which wasn't suppose to be used for malicious activity but is anyway. Webhooks and all that jazz enables token grabbers way more than you think. Hell, even applications could technically grab a user's token. This is how people get caught up in server invite spams and get their account's overidden by a malicious server. Discord is too big to manage against that but there are people trying to protect users.

    Don't ban modifications of a client from people because of things that are already happening. It's silly.

    0
  • Hope

    Simple, No.

    Having a custom UI (Modified Client), like BetterDiscord or others, can be seen as a security issue. Discord clarified that on their Twitter when a user speicifically asked that https://twitter.com/discord/status/1085271973180125185 

     

    -1
  • squeegily#7499

    @Hope,

    The "security issues" they cite exist because of the APIs they expose. Yes, an API allowing full control over a user's profile is (arguably) a "security issue"- one that already exists.

    What is not banned:

    • Using their API, exposing oneself to its risks

    What is banned:

    • Using their API in a way that directly improves the user experience

    -----

    If the Discord servers are locked to the Discord interface, and vice-versa, then there's a huge cost to getting everyone in a group migrated away. (You've got to choose software, and a server, and then get everyone to re-learn the new interface.)

    But if they were already using e.g., Pidgin+libpurple to communicate on Discord, then (if they ever decide to leave) changing the host will be super simple, and Discord might be at risk of the users moving away.

    It's not actually about "security"; it's about making sure that their platform is never integrated with any other in a way that might (eventually) lead to an outflux of (some) users.

    -1

Please sign in to leave a comment.