Why I won't subscribe to Nitro anymore, or support Discord.
Hi, this is a bit of a rant.
I previously had an account that was nitro since 2016 or close to it, and when I subscribed, I remember actually wanting to help Discord be better overall. I didn't care at all about the perks. 2FA was enabled.
Now, this account was hacked. I know why, I know what mistake I did. I downloaded a file from a person I trust. Turns out his account was compromised, and I didn't know that at the time. The attacker used the discussion history to make a convincing reason for me to download and execute his file, impersonating my friend.
Once the file was executed, I was threatened by a group of people in voice chat that wanted for me to give them my account. Once I realized the danger, I closed everything, changed my Discord's password, along with other important accounts passwords, and formatted my windows installation, not keeping a single program. That was done all within an hour.
The next day, on my new windows installation, my account was nuked, despite the password reset and new installation. All my contacts were spammed, unfriended, blocked, all my joined guilds were spammed, and quit. On the few servers I owned, including a 4000 members community server for a game, everyone was banned, all channels deleted.
I was there when it happened and got to watch it all with my own eyes. I didn't even have time to react. Everything happened in less than 2 minutes.
That's when I also realized I was charged 100$ worth of Nitro gift through Paypal. As soon as I saw that, I connected on Paypal, revoked Discord's autorisation, and chargedback the 100$ Nitro gift. That caused a couple of things to happen :
First, my account got disabled by Discord for ToS violation. Apparently, chargebacks are a violation of ToS.
And second, Paypal refused to chargeback, since that was an autorisation, despite me explaining that my account was compromised.
Right after that, I opened a Discord ticket to support for help.
Now today, 5 days later, still no response from Discord staff. Account still disabled.
I have a couple questions :
How do you expect people to feel safe using your services when your client is so easy to attack ? I did a bit of digging after that, and I found out about User tokens. So if I want to attack someone, all I need is his user token ? It also bypasses 2FA and password ? That's as easy as stealing candy from a child with some programming skills.
And why don't Discord find banning 4000 members, quitting 30+ servers, removing 100+ contacts in less than 2 minutes suspicious ? From what I understand, user tokens are supposed to be used for clients, human-machine interfaces, so why would you allow, from a non-bot account, more than 30 actions per second on your API ? That should be basic security right here ...
And of course don't get me started on the token system itself ...
And can I please get an answer to my ticket so that I can either recover my account, or have it deleted ? I would also really appreciate thoses 100$ back.
TLDR : Any other discussion software is more secure than Discord right now. Support so far is non-existent.
-
"How do you expect people to feel safe using your services when your client is so easy to attack ?"
This was not an attack on the client, it was an attack on you specifically. There is no social platform in existence that can protect you from negligence when it comes to running malicious executable. It's also not their responsibility, it's yours and your anti-virus.
"I did a bit of digging after that, and I found out about User tokens. So if I want to attack someone, all I need is his user token ? It also bypasses 2FA and password ? That's as easy as stealing candy from a child with some programming skills."
Not nearly as easy as you might think, and pretty much requires the owner of the account to make a poor decision regarding account security. It's not possible for them to get your token without you giving it to them (Even if you're completely unaware that you're doing it I.E. running a malicious executable) what's more, this system is not unique to discord. In fact, pretty much every single account you use online has some form of token system or something similar and if you compromise that token, you will be putting your account at risk. The same thing can be done to Steam, Facebook, Gmail etc etc. It's not a unique problem to discord alone.
"And why don't Discord find banning 4000 members, quitting 30+ servers, removing 100+ contacts in less than 2 minutes suspicious ? From what I understand, user tokens are supposed to be used for clients, human-machine interfaces, so why would you allow, from a non-bot account, more than 30 actions per second on your API ? "Actually they don't, and I'm not sure how these commands were executed that quickly. Discord will absolute rate limit you if you're hitting the API that quickly.
"And of course don't get me started on the token system itself ..."
Again, this is not remotely exclusive to discord.
"Any other discussion software is more secure than Discord right now."
You're wrong. Discord is probably on the more secure side actually. Certainly far more secure than Teamspeak, Ventrillo etc. Pretty much all platforms suffer the same issues, this could have just as easily happened on Skype or Facebook, it has nothing to do with it being discord.
As for them impersonating your friend. I scan all files sent to me, regardless of who sends them. You should adopt that practice in the future too. As for being banned because of the charge back, this is standard practice. All businesses will do that and you should honestly be thankful that they do, and here's why. If your account is under the control of hackers they have access to all of your chat logs and all personal information you've entered into discord. This could enable them to dox you, find your address, your IRL name etc etc. Personally, if my account were to ever be hacked I would instantly go and file for a charge back just so the account would get disabled, thus revoking access to my private information by hackers.
-1 -
Hi Balzarine Mythus,
First, thank you for leaving feedback. I appreciate any feedback, regardless of its stance. However, I have to disagree with your points :
This was not an attack on the client, it was an attack on you specifically. There is no social platform in existence that can protect you from negligence when it comes to running malicious executable. It's also not their responsibility, it's yours and your anti-virus.
That, I do agree. Account security first and foremost line of defense is the user. However, we are all human, and prone to doing mistakes. It is also the developper's responsibility to protect the user from himself and others by minimizing the risk of an account being compromised, and that, is what I blame Discord on. Their security is seriously lacking.
Not nearly as easy as you might think, and pretty much requires the owner of the account to make a poor decision regarding account security. It's not possible for them to get your token without you giving it to them (Even if you're completely unaware that you're doing it I.E. running a malicious executable) what's more, this system is not unique to discord. In fact, pretty much every single account you use online has some form of token system or something similar and if you compromise that token, you will be putting your account at risk. The same thing can be done to Steam, Facebook, Gmail etc etc. It's not a unique problem to discord alone.
A simple google search for 'Discord token grabber' or 'Discord account nuker' will leave you with a least half a dozen results that are all open source github repositories. For the token grabbers, I've checked some of them, written in various languages, and none of them are overly complex. Some read memory, some are reading outbound packets ... point is, it's not overly complex, and someone with decent programming skills can do it. Even worse, someone way less skilled can easily integrate thoses open source libraries in a new, much more simple program. Also, yet even worse, none of them require Window's admin rights.
All of thoses will require the user to execute a foreign program, so I can agree that the user is foremost at fault here, but we come back to point number 1. Besides, I did scan the file, first thing I did. But anti viruses are looking for known code signatures. No anti virus will protect you from a recent virus, or a tailored program made to attack you or a few dozen accounts on a specific program.
And yes, the same thing can apply to other accounts as well. I haven't written this in my original post, but a couple more accounts have been tampered with along with Discord. However, all connection attempts on both of thoses accounts were successfully blocked, be it from anormal location, or 2FA. I had no difficulty changing the password on them a few minutes later.
Actually they don't, and I'm not sure how these commands were executed that quickly. Discord will absolute rate limit you if you're hitting the API that quickly.
Not much here to argue, but yet I've seen it with my own eyes. I was on Discord when it happened and I saw my account get destroyed in a couple minutes while I was panicking trying to reset again my password. In the panic, I completely forgot where the reset password option was, and a minute later, my account was already completely destroyed.
The 4k+ member server I had wasn't destroyed as I wasn't the owner (But I had admin rights), so I also was able to confirm the manual ban of all the 4k+ members.
Again, this is not remotely exclusive to discord.
Might be, might not be. I don't know about that, but Discord is where I've seen the most compromised accounts trying to scam, bots etc ... Regardless of wether or not they are not the only one, this system is not adapted to the size of their userbase. As I said, other accounts of mine were attacked, none of them were compromised like Discord.
You're wrong. Discord is probably on the more secure side actually. Certainly far more secure than Teamspeak, Ventrillo etc. Pretty much all platforms suffer the same issues, this could have just as easily happened on Skype or Facebook, it has nothing to do with it being discord.
Ehh, I might have been pulling a bit on the string on that one, I'll give you that. I was (and still am) quite angry at Discord. However, I do not believe that Discord is secure, far from it, as stated by the points above, and it has reached a size where their security is seriously lacking comparatively to their size.
As for them impersonating your friend. I scan all files sent to me, regardless of who sends them. You should adopt that practice in the future too. As for being banned because of the charge back, this is standard practice. All businesses will do that and you should honestly be thankful that they do, and here's why. If your account is under the control of hackers they have access to all of your chat logs and all personal information you've entered into discord. This could enable them to dox you, find your address, your IRL name etc etc. Personally, if my account were to ever be hacked I would instantly go and file for a charge back just so the account would get disabled, thus revoking access to my private information by hackers.
Please do not assume that I am not careful. As stated above, I did scan the file sent to me, result was clean. I also usually refuse that kind of demands. But the contact the attack came from was a trusted friend of mine, and just this once, I accepted.
As for the banned due to the chargeback, I never said that I was not thankful for that. I too am glad that it was disabled after being compromised. However, I was not aware that it would result to a ban for that when I did it, and would have appreciated some kind of warning. You have a message from Discord when trying to chargeback on Paypal, it doesn't say that you will be banned for it. Just that they prefer to have you contact the staff for it. Besides, if I contact the staff, I have been paying diligently since 2016, I'm sure that explaining the situation to get my account restored would be easy.
But thing is, I can't. I've tried, it's been now over a week, and still no response from Discord's staff.
1
Please sign in to leave a comment.
Comments
2 comments