Major flaw with QR scan

Commenti

53 commenti

  • advancedlamb

    oh shid guys it's the golden witch Beatrice

    -3
  • Unlocked

    Bypassing 2FA is obviously a problem. However, even requiring two factors wouldn't be enough here. The fact that a QR code can be innocuously passed to gain some form of authorization is awful. If Discord wants convenience, they should implement an automatic prompt into their app like Google does for 2FA. That would require a user to, on their own, accept a completely unprompted authorization request, which is much less of a concern than a user clicking a link or scanning a QR code.

    6
  • FAXES

    Can agree with that comment above. I think Google does a good job of this a similar system would be good and more secure in the Discord app. Even something as simple as Googles prompt to select the number displayed on the screen on the users mobile works.

    5
  • Vas

    Shadow_Hunter; I love how your first reply is so downvoted its made you look very unpopular. I also downvoted, because this is definitely Discord Team's fault.

    Its their job to protect people from hacking attempts and vulnerabilities such as this. They should have tested the new feature they added long before adding it to Discord. They didn't. Now they put their clients at risk of losing a lot of stuff, or worse. I hope this feature is removed from discord completely, forever. There is no reason to need to scan a QR code to login, thats just stupid. Worthless feature. Nothing but a security hole.

    I also hope that, this feature will end up costing them a lot of premium accounts. Losing income because they chose to release an untested dangerous feature. People need to start boycotting the support area now to demand this feature get deleted before it gets out of hand. Discord needs to take care of this immediately.

    3
  • advancedlamb

    at least from this we can learn that no matter how callous and arrogant people act, they can be objectively wrong. theres a reason the people justifying this arent software developers.

    2
  • advancedlamb

    @OFF no shit, but that doesn't remotely answer my question. 

    1
  • TheGxBar

    Best solution to this issue is to display a two/three digit number on your phone after scanning the qr code, have you type in this two/three digit number in the discord website on the desktop to verify its you. If it's typed wrong, you get a notification of a failed login attempt and the qr-code login is disregarded and you have to scan another new qr-code.

    My suggestion here.
    https://support.discordapp.com/hc/en-us/community/posts/360056269072-Use-a-button-number-method-for-QR-code-signin-

    2
  • TZer0

    To clear up any confusion (because I see a lot of it in this thread):

    The hacker shares a QR code that the victim scans. This logs the victim's account in on the hacker's computer, not the other way around.

     

    There are a few issues here, allow me to list them:

    1. This was never an opt-in feature. This got enabled for all accounts without any warning and no explanations. This is further compounded by point 3.

    2. This turns something that used to be potentially 2FA (if you have an authenticator of sorts) into 1FA. Sure, you're authenticating this login using an already 2FA authenticated device, but it is still a one-factor login for that new device. In my opinion, it sounds like a bad technical decision to not at least require 2FA as an additional security precaution. People are much less likely to share such codes with strangers than say scanning a random QR code - a thing which is compounded by point 3 below.

    3. The option on the phone should be renamed from "Scan QR Code" to "Log In Via QR Code" as the former is not descriptive enough. All of this could've been avoided with this and maybe a warning in red text when clicking on this option.

    4. Discord could've also checked if the phone is at least geographically in the vicinity (by looking at IPs) of the computer client that's being logged in. This would've defeated 99.99% of all these attacks.

    5
  • AboundedBoar9221

    First off, let me just say this. Discord should not have released a feature that has to do with security without looking into flaws or issues that could lead to Scams and Hacking of others accounts. Accounts have payment information and other personal information so this issue should be top priority to Discord. Since they haven't stepped up and fixed this issue yet security is a major issue and they are violating their own Terms of Service (TOS). Discord NEED'S to fix this issue.

    4
  • JacobRuby

    I don't know if anyone mentioned this in this thread already, but why not change it to where you need to input your email, then click "Login Via QR Code", which will generate a key specific to that email. That completely eliminates any cross-over attempts. The hacker can't just "grab anyone", he has to target a specific person, and know their login email. At that point there's other hacking options.

    Is there a reason I missed as to why you don't need to put an email in? I understand it's supposed to be "one step login", but come on. Nothing that easy could ever be secure.

    2
  • KurtCobain

    This is 100% Discord's fault.  It should not be possible for anyone other than Discord to get account information by scanning a QR code through Discord.  The fact that it is possible tells me that they did not secure this at all.

    2
  • KurtCobain

    Also, the lack of Discord staff responding to or posting ANYTHING about this is highly disturbing.  Please, Discord staff, do SOMETHING about this!

    4
  • Zarius Corten

    Speaking as someone who's been working IT for more than 20 years, yes, it *is* the fault of the people falling for this shit. Imagine for a moment if people had to have the same basic instruction to use their computers that they do to drive a car?

    No, I'm not saying it's OK to scam them, but stop blaming the Discord team for the stupidity of others. ASK them to try to patch the problem, rather than ranting and raving about a feature that, if they did it right, would be perfectly safe.

    -1
  • KadotyGamer

    They could make a 2FA that is similar to what Google does on a device logged in to your account. After you scan the QR, you then get a notification saying a device is trying to log in to your account, do you want to allow this device access to your account? Yes or No

    Upon selecting Yes, account access is granted and that device is able to log in.

    If you select No, immediately denies access to your account to the other device

    4
  • lizzkitt3h

    The geographic vicinity is a good idea, but it it was a flat ban it could cause some problems. For example if you're using a VPN for one device and not the other, or if the cellular networks gps location is inaccurate, Discord's location check wouldn't work. For example my old internet company, our listed location was consistently wrong from my actual location. So while my cellphone would be correct, my desktop was not. If you were in a location with no wifi, it wouldn't be possible to fix this issue either by connecting to the other network. 

    2
  • SkyDiscovery | Jonas

    Easy Sulution for Discord to Fix:

    You have to be logged in the same Account on the Mobile device wich is registered to the qr code.

    0
  • TZer0

    @lizzkitt3h

    Those cases would be rather rare. Just use password + authenticator in that case.

    1
  • akac

    Many people are getting their account stolen because of this exploit. This should be fixed as soon as possible. Maybe check for the IP the QR code is scanned on? Or check if the account has already been logged in on the computer before?

    0
  • StrgAltEntf

    The QR-Code should be bound to something account specific, not only to the ip address or a session id. It should only appear after you specified which account you want to login to by specifying the email address. This way the attacker would need to know the email address and would need to contact the victims one by one.

    0
  • tipsyGambler

    Oh there's an easy solution to this. Do what Google does.
    That is, when connecting through the QR Code, show a random number on the PC, which I will then have to select the same number on the phone, from 3 options. Maybe even more, like 5 options, to confirm the YES, to log in! It's simple, effective, and don't have to switch apps for 2FA!

    1
  • Kamel

    I'm a Software Engineer in Test, so helping teams work through ambiguity is what I do as a day job. I think it is essential everyone fully understand what is happening in order to be able to weigh in on if they see this as a problem or not.

    I think may be able to help clear up what's going on by leveraging a test scenario - it doesn't require you know anything to understand, just read it from top to bottom and you should be able to follow along.

     

    Background:
    Given a malicious user Foo
    And a naive user Bar
    When Foo visits discordapp.com
    And Foo clicks "Login"
    Then Foo is presented with a QR code as an option to log in
    And Foo captures QR code image

    Scenario: User Bar unintentionally permits Foo to log in to Bar's account
    Given Foo presents the captured QR code to Bar
    And Bar is logged in to their discord account
    And Bar is convinced to scan the QR code
    And Bar has 2 factor authentication enabled
    When Bar scans the QR code
    And Bar accepts the prompt asking to log in
    Then Bar is not presented with 2FA
    And Foo is logged in to Bar's account

    This would be considered a requirements gap rather than a flaw/exploit/defect as it appears to be working as designed, but probably not an expected use case.

    For fun, here is a potential better way to implement this feature

    Feature: Easily log to another device using QR Code

    Background:
    Given A registered user
    And the user _does or does not_ have 2FA enabled on their account
    And the user is in possession of an authenticated device
    And the user tries to log in on a new device
    And the user is presented with a QR code
    When the user scans the QR code
    Then the authenticated device displays a unique code
    And the authenticated device includes a link below the code with the text, "Not trying to sign in?"
    And the new device prompts the user to type in the code

    Scenario: Correct Code
    Given the QR login request is legitimate
    When the user types the correct code in the unauthenticated device
    Then access is granted on the unauthenticated device
    And the prompt disappears from the authenticated device

    Scenario: One time failure
    Given the QR login request is legitimate
    When the user types the incorrect code in the unauthenticated device
    Then the user is prompted to retry the entry
    And the user is prompted with a captcha

    Scenario: Illegitimate Request
    Given the QR login request is not legitimate
    When the authenticated device user clicks/taps "Not trying to sign in?"
    Then the authenticated device leaves the code entry screen
    And the authenticated device pulls up a help document
    And the one time code is nullified
    And the user is given the option to report suspicious activity

    Scenario: Retries exceeded
    Given it is not known if the request is legitimate
    When the user types in an incorrect code 3 times
    Then the user is sent back to the login page
    And the account is locked
    And the account holder is notified

     

    0
  • Mr.Happyman

    MAJIOR FLAW agreed.

     

    Maybe give you the option to still have 2FA for qr login in your settings?

    0
  • Elliott

    Discord have updated the QR code page. Before it logs you in, it now displays (in red text) a warning telling you that you're logging in, and to never trust QR codes sent from other users.

    1

Accedi per aggiungere un commento.