PSA: PROTECT YOUR EMAILS AND DISCORD TOKENS/The vunerabilities of 2FA and Phone numbers.
Hi all.
This will just be a dump of what I have learnt during my experiences with being hijacked.
Disclaimer: I do not claim to be an expert on the subject. I'm merely presenting my findings and conclusions. Feel free to voice changes in the comments below.
TL:DR
Once the hijacker gets access to your email and discord account, you'll essentially be left at the mercy of discord support. PROTECT THESE.
Explanation
So you clicked on some link, or downloaded and ran some shady software…
Yeah, everyone makes mistakes.
If you're lucky like me, you will only have your tokens, logins and sessions stolen, and there won't be keyloggers or ransomware hidden within your PC.
Now, once these token loggers/session stealers are executed, they'll run a search on your PC, typically somewhere in AppData/local or AppData/Roaming, looking for your login tokens and credentials to send back to the hijacker.
Using my case as an example, the malware obtained 2 things:
- Discord tokens, stored in Appdata\Roaming\discord\Local Storage and Web Storage
- Gmail tokens, stored somewhere in Appdata\Local\Google\Chrome\User Data\<Profile_name>\Web Data
Obviously the malware grabs usernames/passwords too, but these are useless if you can't bypass 2FA, which tokens allow them to do.
Once they've logged into your accounts by pasting the tokens into specific sections within inspect element of each logins' respective websites, they'll often do these 2 things:
1. Change the email associated with your discord account. This essentially gives them backdoor access into your account as they can just request for a password reset email even if you change the current password.
2. Change the password associated with your account. This fully locks you out.
Then the damage begins, they begin spreading the same malware to your friends via DMs, spambuying nitro with your account, etc.
2FA and Phone numbers
Well, from what you've garned above, you've probably realised that your 2FA doesn't really do much against token intrusions.
That being said, you should have some form of 2FA in place to protect against password leaks and brute-force intrusions.
Adding to the fact that your 2FA can be removed by your hijacker quite easily. All they have to do is simply request to view the backup codes, accept the verification email within their email, and voila, your 2FA is disabled.
Your phone number is even more easily removed, all that's required is your discord account password to confirm…
And if you want to use your phone number to reset your password, it sends an email to the email attached to the discord account, which the hijacker has already changed…
What you should do to protect yourself
These are common sense, but we're only human, afterall…
1. Be Vigilant, even around close contacts. You never know when someone has been hijacked.
2. Don't click on random links/download random files. Check them first.
I recommend Triage for file analysis and Virustotal for links.
3. Don't store sensitive data within browers or Google, use a password manager like BitWarden or LastPass.
Token Protection
Unforntuately, I don't know of a method to protect browser tokens, as every browser seems to store these somewhere within your AppData.
However, there are 3rd party applications that you can use to protect your discord tokens. I won't be listing any here to adhere to subreddit rules.
If you've made it this far, thanks for reading, and I hope my findings have helped.
If you have further questions, don't hesitate to ask.
Discord, I hope you see this, and address the token/support issues someday.
サインインしてコメントを残してください。
コメント
0件のコメント