Why are discord user tokens plaintext? Why do they bypass 2FA?



  • Gingy

    amen. AMEN.

  • Leaf

    Once an attacker has the user token, they can log in from any machine without performing the usual check for a new device. Making these tokens more secure would help, but maybe there's some limitations on what's possible.

    An obvious security improvement that is easy to implement, as you've stated, is requiring 2FA to change the account's email and password. Discord pretends it has a 2FA system, but doesn't require it where it counts, thus rendering the 2FA system entirely pointless.

    When an email address is changed, and the owner of the email address uses the "I did not request this change" option, the account should automatically be locked. If there's anything suspicious going on, lock the account immediately so the Discord security team has time to review the case. Currently, when an account gets stolen, there's nothing at all the original owner can do. The attacker has days or weeks with full access to the account, DMs, payment info, and friends list to harvest info and attack the user's friends. This is the most egregious part of the whole thing. The original email on the account can flag the account as stolen, but Discord allows the hacker to continue using the account during the security review process.

    I understand that the process can take a while. There are millions of Discord users and these cases need to be reviewed by human employees. But the account should be suspended during this review process, not left in the hands of the attacker. Your Discord DMs are not secure. Payment info is not secure. Discord is not secure.

  • BonnieBunnie

    Please! This is going too far.

  • Apollo050

    Please add it :)


    absolutely correct points on all the posts. problem is that discord is far more interested in boosting the user count, and handing out ban hammers like candy than putting actual work in like helping existing loyal users, that got ripped off. or had their accounts hacked.