Getting your Discord account taken over is trivial once you have an account's authentication token, and it's becoming more apparent that it's far too easy to sniff out the token from an active Discord client - even the standalone Desktop version or a mobile client. Trust me, as it's happened to me recently, and I'd heard of two more ways to lose your account since Sunday. So I propose that:
A) First of all, you should require a separate, single-use token to perform sensitive operations. Such a token should be obtained via a fresh re-authentication with Discord's servers (including mFA/2FA, if that's enabled) and importantly can only be used once to perform irreversable actions like changing a password, displaying 2FA backup codes, changing an email, etc. Notably, it's not the auth token that's used to get this "special" token. This would help mitigate some of the problems when an account is compromised.
B) ACTUALLY INVALIDATE TOKENS WHEN THE PASSWORD IS CHANGED.
C) Make it so a general auth token is only good if it's coming from a particular IP Address, or (if technically possible), from a particular MAC Address. This would prevent someone sniffing out your token and using it on a different machine.
Please sign in to leave a comment.