How Discord can stop token loggers.
Token logging has been a massive issue over the years with tens of thousands of people (Or possibly even more) getting breached every year. The problem is there is no active solution that helps combat this aside from contacting support and hoping for the best that your account will actually get recovered.
Here is my proposed solution on how token loggers can be rendered essentially useless and stopped for good while also being minimally invasive and using current technology that's already implemented into Discord:
If a new device tries to access a Discord token that is currently in use, its access would be restricted until further verification is completed via email or the mobile Discord app (a less resource intensive way to go about this would be to check the browser user agent and IP matches that of the original owner's device after a singular action of any sort is made. If it passes, don't check for a period of time as mentioned later. If it fails, lock the device out). The client in this limited state should not have access to send messages and view the email/phone number associated with the account but may function as normal otherwise.
To enhance security, Discord can implement a system that periodically verifies whether the devices currently using a token matches the actual device it belongs to in the form of a heartbeat (this would also be for those who were already breached prior to this implementation if it were put in place).
That method is not completely foolproof, though. What if someone spoofs their browser user agent to match that of the actual owner (assuming hardware ID verification is not used)? In that case, to add an extra layer of verification, an IP check can be used to compare the original device owner's IP to the new device and see if it's too far from each other (ex. If the original owner is from Dallas, Texas and the new device is located in Kansas City, Missouri).
With this, we should see a dramatic decrease in users being token logged, thus creating a more positive and safer environment for the platform.
-
Discord has more pressing issues like people losing their accounts for ridiculous rules they have managied to mess up their site. Yet you want more rules upon rules in place instead of satisfying the customers who use their site. Lol
-2 -
Masonportman46, I've never heard of anyone getting banned for ridiculous reasons that does not involve some form of violation. This comes from someone who's owned numerous 30k+ member servers as well as managed servers scaling up to 100k members.
Nonetheless, your reasoning is completely unrelated to the subject at hand. My idea was to help prevent account takeovers which is a very big issue within the platform. Nothing I mentioned imposes more rules if you took the time to carefully read what I said. All it does is utilize already existing technology within the platform and add extra security measures that'd have zero real world effect on you unless you either logged in from a new device farther away than where you usually would (ex. if you traveled to another city and logged in on a cousin's computer) or if you got breached.1
Войдите в службу, чтобы оставить комментарий.
Комментарии
Комментариев: 2