Why are discord user tokens plaintext? Why do they bypass 2FA?
For some reason, discord user tokens are plaintext, easy to steal, and let hackers bypass 2fa. Discord, your application is becoming a lawless wasteland of phishing and hackers. Do something about this. Thousands are being ransomed daily. Also,
Make 2FA required to change email or password!
More good stuff in the comments!
Once an attacker has the user token, they can log in from any machine without performing the usual check for a new device. Making these tokens more secure would help, but maybe there's some limitations on what's possible.
An obvious security improvement that is easy to implement, as you've stated, is requiring 2FA to change the account's email and password. Discord pretends it has a 2FA system, but doesn't require it where it counts, thus rendering the 2FA system entirely pointless.
When an email address is changed, and the owner of the email address uses the "I did not request this change" option, the account should automatically be locked. If there's anything suspicious going on, lock the account immediately so the Discord security team has time to review the case. Currently, when an account gets stolen, there's nothing at all the original owner can do. The attacker has days or weeks with full access to the account, DMs, payment info, and friends list to harvest info and attack the user's friends. This is the most egregious part of the whole thing. The original email on the account can flag the account as stolen, but Discord allows the hacker to continue using the account during the security review process.
I understand that the process can take a while. There are millions of Discord users and these cases need to be reviewed by human employees. But the account should be suspended during this review process, not left in the hands of the attacker. Your Discord DMs are not secure. Payment info is not secure. Discord is not secure.5
Please! This is going too far.4
Please add it :)3
vote for better 2FA https://support.discord.com/hc/en-us/community/posts/4419386395287-Enhanced-2FA-Security2
absolutely correct points on all the posts. problem is that discord is far more interested in boosting the user count, and handing out ban hammers like candy than putting actual work in like helping existing loyal users, that got ripped off. or had their accounts hacked.2
Por favor, entrar para comentar.