A Proposal to Improve 2FA Security / Fixing a Critical Account Security Flaw
Hello everyone.
I've been using Discord in its infancy when Nitro was not a thing (Nitro Early Supporter here), servers were disorganized with no way to put them into folders, and Hypesquad was a thing you had to apply for (I'm also a Hypesquad Event Member). I love Discord. I was the guy that unapologetically and proudly wore the Hypesquad shirt and Discord badges on my backpack as I strolled through my University campus telling people how great this new application was. I also used Discord to manage my game communities and to call my other half (now fiancee) every day since we were long-distance.
You could imagine how distraught I was when I, like unfortunately many people I've come across, have been a victim of the recent "download my game" account takeover attack. EDIT: I have since recovered my account with the help of Discord Safety and Trust! Original: I contacted Discord Support immediately as informed in my email and have become increasingly upset at Discord's inaction rather than the attacker that gained access to my account. While I'm in the process of waiting to receive a response (and I have yet to receive a response except from Clyde's autoreply), I would like to propose changes or provide more visibility on this issue.
When this attacker gained my account details, they were able to change the email address my account was associated with and the password of the account. I had 2FA enabled on the account and did not receive any emails or SMS to confirm password changes nor email changes. Other services that implement 2FA such as Google, require you to confirm 2FA when changing practically anything about the account. With this, it would be great if Discord could implement similar policies with their accounts when 2FA is enabled.
Additionally, it seems like Discord does not send an email when there is a login in a different geographical location than normal if you have 2FA enabled. I've received emails for the account I'm using that I've logged in from a new location and this account does not have 2FA enabled. If an account change or message is being sent from a new location/IP address that wasn't previously used, there should be an email/SMS/2FA confirmation before this account should be able to be used in this new location. If the confirmation is not done in a timely manner, e.g. 1 hour, the account should be logged out of all locations and be forced to reset its password via a link sent through email or SMS. If 2FA is enabled, a 2FA confirmation request should be made prior to resetting that password.
TL;DR: I love Discord and I want it to be better.
Please do the following:
- Make a 2FA Confirmation Request via Email, SMS, or TOTP Authenticator App prior to changing an email address associated with an account.
- Make a 2FA Confirmation Request via Email, SMS, or TOTP Authenticator App prior to changing a password associated with an account.
- Send notifications when a person is logged into an account from a new location or IP address for 2FA-enabled accounts.
- If an account change (e.g. password change, email change, etc.) is being made from a new location or IP address, send a notification and 2FA Confirmation Request (if 2FA is enabled) before allowing the change.
- If the request is not confirmed within a timely manner, log the account out from all locations and force a password reset.
P.S.: I've been chronicling my Discord Support experience on the Discord subreddit here: Chronicling My Discord Support Experience : discordapp (reddit.com)
-
I agree that this system needs to be implemented as no hack should be able to forcefully take control of your account and change your details without 2fa confirmation from text msg email and or authenticator app
7 -
Thanks for your support Huntsman43. I do hope Discord sees this and work on implementing more security features!
2 -
Our community was hit by the very same attack. the attack ended with them being charged over $900 dollars because of this in nitro fees. The vulnerability of the accounts is insane and should be changed. I think in addition having a verification email sent to your email or another authentication on a server deletion should be allowed. One of the members of our community lost his 100 user community discord due to the hack as they had full control of his account. I can't in good conscious keep my payment information for nitro in discord if its this easy to get around the 2FA.
I Fully support this change as it is an extreme security risk with massive consequences that needs to be addressed.8 -
TheLawGivar I'm sorry to hear what happened to your community and your member's community. I hoped that PayPal/your banking institution was able to help you recover the money that was charged fradulalently. Thank you for the support!
2 -
I (a member of TheLawGivar's community) lost my account to this very same attack. After a week of silence from Discord's support team and a week of angry tweeting at their twitter account and CEO's twitter account, the person running the twitter account was able to lock my compromised account and issue refunds. Mind you, this was after telling me the day prior that they couldn't do anything over social media and I would need to submit a ticket.
However I STILL haven't heard anything from the support team beyond a single message from MichaelA saying he would be in touch, despite my 15+ follow-up emails asking for updates or any information at all. For as massive of a user-base that Discord has, they should absolutely have the support staff to handle this in a timely manner. I've now been locked out of my account for a week and a half.
I agree wholeheartedly with OP that 2FA should trigger upon trying to log in from a new location, upon attempting to change your password, and upon trying to change your username. It is absolutely unacceptable that this person was able to compromise so many accounts this way.
7 -
I would like to add some more suggestions:
As Puraimu pointed out, 2FA was useless in the case of this hack, this is silly, why do we use extra layers of security for, if not to prevent those kind of issues?
1. On top of being prompted for a 2FA code to change our email address, it'd be nice to send an email asking to confirm the change to the current email as well: it's very unlikely that the hacker has access to the email address as well.
2. Instead of requiring users to email you from the email address currently linked to their account in order to refund them, also accept emails from the PayPal account address if applicable, as the hacker can simply change the email address of the account and still use the PayPal account that's linked to the Discord account.
3. Ask for users to enter a code from the 2FA app when they purchase Nitro: there's no need for it to be systematic, it can be after the third time over a short defined amount of time, for example an hour.
4. Add a ceiling to the amount you can spend on Nitro over a defined amount of time, like $100 every 24h for example, to give time to your users to block the charges coming from Discord on their PayPal/bank, in order to limit the damages in case they're hacked.
5. Remove the option to login via QR Code, this was never secure, I speculate that this is in part what the hacker used to gain access to the accounts.
Until these suggestions (or similar) are implemented, I'm pulling out my payment method out of Discord and I won't pay for Nitro anymore, I don't want to risk going through the same thing my friends did in case I get hacked as well, because it can happen to anyone, even the most careful and most tech-savvy ones of us, and given that your security is terribly bad, even with 2FA enabled, I don't feel comfortable with storing my payment info on your app.
Do better, Discord. This comes from a place of love.
11 -
Oh yeah, I was also a victim of the "download my game" scam that's been going on around. Just recently. (3 days ago, December 28th, 2021. My account is currently compromised and I'm waiting for a response as they are dm'ing my friends to download a game (I already informed them of this and that it was not me) The account that is hacked right now is mochu#2952 and all my connections are still on it, same with my phone number.
I found the culprits of the attack they run a server with a bunch of stolen accounts called .gg/1794 (all the connections are still linked to it lmfao)
They also don't only steal your discord account but they install a RAT on your computer that steals passwords from any program (usually google) so if they stole your discord accounts they probably stole your google autofill passwords also, I'd recommend you change your password for absolutely everything. They also have a program that snapshots your screen periodically. I'm going to post a image of one of the attacks files that I scanned.
and I will send a image of one of the sites they used to download malware on your computer.
Do not download this ^
I agree with this post entirely and I think discord security should be improved drastically. Anybody with cards connected to their account (if hacked) is at risk of having nitro purchased all the time if money is added into their checking's account (debit card) or if they have a credit card connected to it
Also have to admit we are dumb on our parts also and should take some credibility for being hacked, just want to make a statement to NEVER click on fishy links EVER no matter who it comes from.2 -
The fact this hasn't been implemented the moment Discord went live is just baffling.
This is such a critical flaw in security that many other companies would be in hysterics over because of how easy it makes hijacking accounts become. I was also a victim of the "Test my game" scam as well and it took 2 weeks to get my account back. I'm very upset towards Discord more than the hijackers because these flaws in security allowed this to happen almost effortlessly.
The problem with the "Don't click on fishy links" is social engineering fools people easier. I'm in a friend group that do sprite editing and coding. The malware was uploaded to itch.io, where plenty of legitimate games are uploaded.4 -
This is a great suggestion to be honest
0
Please sign in to leave a comment.
Comments
9 comments