Bind the IP/Location to the user's session token
Hey there!
Account takeovers and hacks have been increasing more and more. Some good advice being given out is to enable device 2-factor authentication. However, this doesn't stop some malicious software from taking the actual session token from the browser. Recently, there have been a wave of malware that have been designed to go into the browser's cookies, and extract the session token for Discord. These tokens are then sent to the bad actor, which they then use for many reasons, like peeking into private DMs, racking up hundreds of dollars in Nitro gifts, spamming, or moderation destruction of any servers in which the user is a moderator on. It's gotten to the point where there are people selling "discord token grabbers" on grey-hat forums; prepackaged programs that can be sent to the victim and if they open it, it sends their discord token to a webhook. I have personally decompiled one of these programs to take a peek inside. It was spread through DMs, the spammer would ask if they could "help test out their game". The victim would download the "game" and run it, and it would run a normal platformer-like game. However, in the background, it extracted the victim's IP, computer details, and went into the browser (Chrome, Brave, etc) cookies and LocalStorage of the Discord app to extract the session token and send it to a discord webhook. The bad actors would then log into the victim's account using the token, and use it to spread the malware further, by DMing random users on the victim's friends list asking to "test out their game".
Discord has become more and more important to people, and many people use it to chat with people with similar interests or to hang out with friends over video and voice chat. Malicious people should not be able to peek into out private conversations or cause destruction to servers. Users have lost hundreds of dollars due to unauthorized purchases of yearly gifted Nitros. Trust & Safety and Anti-Abuse should be a high priority on Discord's priority list. A short-term mitigation to the malware problem would be to tie an IP or a general geolocation to the session token given at sign-in. If that token is used in a location that does not match the IP or geolocation, it would terminate the session token and ask the user to log-in again.
I hope you take this suggestion to consideration!
-
The best solution to this that I can think of is to never use your browser to access discord. Instead use the client.
Regardless, no amount of security offered by discord itself is going to protect you when you're downloading and installing malicious software. Most people now days should know better than to download and run executable from strangers.
You wouldn't eat a strange substance that I offered to you in public, apply the same logic to your internet behavior. If the person is a stranger, you shouldn't be downloading anything they send regardless of what the file extension is.1 -
It doesn't matter if you use the browser version or client version by the way, if the victim is installing a program from the person with malicious intent, then they can do pretty much anything to them. You can use Python to grab a Discord token not just from the browser cookies, but also the client cookies because it's no more than the Discord site formatted into an executable.
This shouldn't be just for Discord, anytime you download an exe file on the internet you're putting yourself at the risk of malware. So if you don't understand how to decompile these files and check for malware, then you should never install executables from random people. It's common sense to not trust everyone immediately, especially online of all places where anonymity makes people more willing to mess with others.
Discord can't fix it entirely because they can't control the decisions of others, but it could definitely use more security. It's so easy to grab a token, and it completely bypasses 2FA. You don't even need to go through the hassle of getting someone to download and run an executable, simply trick them into pasting code into console and it'll work just as well. When it comes to IP grabbing, you can do that simply by making a webpage that grabs the victim's IP and sends it through a webhook, then just host it on a free site host like netlify or htmlsave.
Conclusively, even if Discord improves their security (which they should, I had to code my own anti-abuse system so it locks any unauthorized people out of my account), people will still need to understand the basic rules to the internet. Don't click sketchy links and especially don't download random files if you don't understand them or trust the company.0 -
To add onto my comment - you can also grab IPs through a Discord bot token. I found a way to track down the IP of the bot creator when it was created by complete accident, so I used that to my own advantage to grab all my old IPs from my bots and used them as proxies. Still, that doesn't remove the fact people can track you down without your account token, either through a link or an unrelated token.
0 -
Oh yeah for sure, if you're installing a program then it wont matter if you're using the client or the browser. Not using the browser would likely prevent your token from being grabbed by a malicious link, but it would do nothing for malicious software, nor would it save you from pasting code into the client. However, these are user created security flaws, it's not exactly a flaw in discord itself and is instead bad internet behavior on the side of the user.
No amount of security features will protect you from yourself without making the program a headache to use.
Of course, if you've already signed into discord on your browser, then clicking the link in the client would still get your token nabbed. As a general rule, don't open links from people you don't trust, even if it looks like a legitimate link.
Consider running a sandbox or a virtual machine and pasting the link into a browser running that way.0
Please sign in to leave a comment.
Comments
4 comments