New MFA Key for Account detail changes? (dont allow the same key twice)
Hi Team.
I recently got comprimised though a phishing attack that pinched my login token and MFA by pretending to be a bot.
yeah I shouldn't have fallen for it, but as far as I was concerned I was just logging in to see what the bot did.
The attack consisted of a normal Oauth challenge, that then provided an MFa request which I provided. instantly the attacker took control of my account and trashed the servers I have rights on.
The issue is a lot of other platforms require an additional MFA when attempting to do things like resetting your password, or changing email addresses.
Unfortunately, once this attacker had my login token, they were able to completely lock me out with zero discourse other than contacting support. (who are probably busy getting flooded with emails from the same thing)
Can we get discord to force some kind of challenge when updating key criteria? If for example a user attempts to change their email address. require a re logon and A NEW MFA KEY. (IE, wait at least 30 seconds from login so the old key cant be re-used) or an SMS for phone verified accounts.
I know we shouldn't fall for phishing in the first place, but none of us are perfect and this was so well engineered, none of my "hey don't click that" instincts kicked in.
This would reduce load on the support team considerably.
-
Whilst I'm at it.
Perhaps in the "your email was changed" message. Can I suggest a "Wait a second" link or something.
Sure you don't want it to abort the move (in case you have lost the email address) but put the account in stasis temporally if someone presses the "wait a second" link to stop people scraping your data. until a support team member can get involved and figure out who is who0
Please sign in to leave a comment.
Comments
1 comment