[Suggestion] Make mentions of user IDs visible again - Now they just show "@unknown-user"
This change is making it really difficult to moderate servers when their user ID has not been indexed beforehand. Especially because username loading is extremely lazy on mobile platforms.
Pleast at least return “Copy ID” for users who have “developer mode” enabled.
Description:
- Users that are not indexed show as "@Unknown-user"
- Clicking their mentions shows an error message "You don't have access to this link. This link is to a user you don't have access to."
In the past it was possible to:
- Retrieve user IDs from non indexed users as it would just show ``@userid`` with the numbers visible.
- Right click user name mentions and select "Copy ID" with developer mode enabled.
- Perform lookups for moderation since they were searchable.
- This is now seemingly obscured, even in the source code, making mentions a useless way to handle user IDs and moderate users across multiple servers.
This is a huge problem since many scammers intentionally use obscured usernamed and UNICODE characters in order to escape detection. I run a moderation bot where I review scammers for many servers and now doing these reviews is rendered extremely difficult. I would suggest that Discord at least shows IDs when developer mode is enabled because this is extremely difficult to work with for moderators.
- What are other bot developers using as workaround? Including user IDs separately as a habit?
- Discord developers, can we please get this returned? This makes reviewing scammers SO much more difficult for moderators.
All user mentions from bot logs are obscured now:
The right clicking of mentions no longer shows “Copy ID” if the user is not undexed. Their ID can also not be copied from right clicking the non-indexed broken mention.
The website source code obscures the ID:
The error message shown when clicking broken non-indexed user mentions:
-
Worst feature I've seen in the last 5 years, whoever thought a feature that breaks bots and disturbs moderation was a good idea needs to lose their job asap.
11 -
Whatever changes that Discord has made to this, needs to be reverted. It is breaking every bot.
Any changes that break functionality needs to be have deprecation tags, and versioning. And it's very clear they didn't do this.10 -
+1 complaint, please revert or change this feature. Makes it almost completely impossible to moderate users quickly, even fresh joins to a server. Even the dev mode suggestion would fix it but many moderators do not want or should not need this feature to perform basic tasks such as looking at a user profile.
7 -
Absolutely ludicrous that this made it through to prod without anyone thinking “hey, maybe this might introduce some unwanted side effects”. If Discord wants to be the go-to place for communities, step one would be to stop breaking things that enable those communities to be managed. As others have noted, this has now broken major functionalities on moderating features including bots and such power user features as the ability to see which user has been mentioned, with the most unhelpful error message ever devised (which is flat out incorrect; the user definitely has access to that info).
Even worse this was a shadow update that introduced a breaking change. No update log exists for this patch, at least not anywhere I can find. Anyone that has done any work in any development capacity should understand that you cannot introduce notable changes without telling people something has changed, and especially not breaking changes. It is frankly insane and would not be tolerated in any serious tech company.
I cannot emphasize this enough: anyone involved in this “feature” from ideation to production release needs firing. You cannot have a clown show where breaking changes are pushed to production without changelogs and without deprecation warnings. A lot of the “features” released recently have been bad, but this one absolutely takes the cake. At best this looks like no one at Discord uses their own app and therefore understands the implications of this change, at worst it looks like there is no process and developers are simply pushing random changes to prod with no rhyme or reason.
Do the right thing, revert this update, throw it in the bin, and have a good hard look in the mirror, because the way you are doing things is not acceptable.
7 -
My response:
There seems to be a disconnect with the userbase and the developers for how a lot of moderators who use Discord regularly use IDs to search and moderate users. Many scammers intentionally obscure names using UNICODE fonts and rename their usernames often in order to escape detection.
Identifying accounts using User IDs is necessary in order to effectively moderate communities. Especially many moderation bots are now much more difficult to use for moderators. This change will not actually protect any privacy of the users whose ID is being obscured, as you can still retrieve IDs using other methods, it only makes it less intuitive, requiring more clicks and changing bots for users who need to review IDs, such as moderators.
For moderators and power users users, enabling developer mode should not obscure ID, it should at MINIMUM be possible to copy the ID when developer mode is enabled.
Removing an important feature like this without notifying developers and the community beforehand, nor include it in patch notes and more seems very irresponsible.
The expressed concern here is not a complaint, but from the utmost care for the good of the platform and the users of Discord. Best Regards
7 -
This Unknown user nonsense seems like a gut reaction to spy pet. This wrecks moderation for people that use bots. I also believe I have been having rate limiting issues, with the new members tab working and not working constantly throughout the day.
These changes for privacy have harmed human moderation, I really hope they are reverted.
6 -
For regular messages, you can still retrieve the user ID of mentions if you use the option “Copy Text”, it makes the process that much more tedious however as in the past you could just copy the ID for unindexed usernames.
However IF the message contains an EMBED, this is no longer possible AT ALL!
5 -
I got a response from Discord support regarding this and it is supposedly a hidden security update that was not notified to any developers or advertised ahead of time.
"This behavior is part of recent privacy and security updates to ensure user information is adequately protected and only accessible when necessary."
Full text:
Hello Cragsand,
Thank you for your detailed report concerning the issue where user IDs are replaced with "@unknown-user" when mentioning users that haven't been indexed or cached. We understand this can impact moderation and other user account review processes.
This behavior is part of recent privacy and security updates to ensure user information is adequately protected and only accessible when necessary. Here’s what can be done:
1. **Role Permissions**: Ensure you have the necessary permissions in the server to view user details.
2. **Active Engagement**: Try interacting or having the said user actively engage in the server, which might help in caching their ID for visibility.
3. **User Settings**: Users should verify their settings to allow others to mention them wherever applicable.
We appreciate your cooperation and understanding as we navigate maintaining privacy while supporting community management needs.
Best regards,5 -
I help moderate 68 streamer communities and review hundreds of accounts each day to spot scammers. It's very common for scammers to hide malicious links in their descriptions, meaning I have to actually open their profile and get it cached. Making mention data irretrievable inside embeds, makes all my old bot logs with user IDs unreadable for lookup. This makes my job as a moderator that much harder and as Valkyria Fin pointed out - this change only makes it harder for humans - not actual malicious bots.
Some months back Discord also implemented a mitigation for reading profiles, a rate limit if you open too many in a too short amount of time. It makes ALL profiles unable to be read, including my own. This hits me every other day now when reviewing accounts. It makes me unable to open profiles at all until waiting it out 1-3 hours. This is another huge problem that should NOT be affecting dedicated “human” moderators.
Moderators should be exempt for this kind of rate limiting. My support ticket for this problem has been juggled around and ignored for several months now.
5 -
I believe this change is also related. Member browser no longer shows all members, just what Discord deems “Recent Members” (of course, without explaining what is meant by this). Meaning it is not possible to actually use the server browser to meaningfully browse all members. See picture below. 12*68 is 816, for the record. So though the server pictured indeed isn't the most active, I can only see significantly less than half of the members using the tool intended for me to be able to see and manage members.
Oh, and also note that the second underlined number, 2146, shows the whole server member count, not the amount I can view in this, which is rather silly. I presume there are enough empty pages there to fill that number, but I can't actually view the users on those pages. While it would be a fun exercise to see if the prune function still works correctly or if they broke that too, I don't think people would appreciate being kicked off a server for science. The empty pages are a relatively obvious bug, but I can't see this being an unrelated change. The update was clearly rather rushed, since the bug is very obvious and would be caught by the most cursory testing.
Why, as a moderator, can I not use Member Browser, the tool for managing and finding members in my server, to actually do so for all members of my server? This is a tool only available to moderators. Is moderators being able to moderate now a privacy and security risk? Moderators keep users and communities safe, and this update is actively hindering our ability to do that. This is the exact opposite of what you should be doing if you want Discord to be a more safe place.
Again, do the right thing, revert the update, and have a long think about why you're breaking things that work while insisting it somehow improves security, when it does nothing to address the ongoing scraping by bots that has made it to the news. I've half a mind to contact a news outlet for a follow up about how bots scraping has now apparently resulted in human moderators being inconvenienced or in some cases flat out unable to do their jobs while bots continue as they are due to poor development decisions apparently made out of desperation to appear as doing something.
5 -
Whoever made this change has no idea what moderators are doing on a daily basis on servers with hundreds or thousands of members.
The people who needed to see the IDs are the mods, it doesn't matter that regular users could see them. The amount of scammers that join servers out numbers regular users 8:1 on some of the servers I moderate for. Not having access to the ID immediately has slowed down our operations significantly and is actually putting users at risk because scammers aren't being removed readily enough now.
This change needs to be reverted or be a toggle in dev mode at the very least. If Discord devs cared any bit about security, this is something that needs to be looked into asap.
5 -
1. **Role Permissions**: Ensure you have the necessary permissions in the server to view user details.
I'm complaing as a server owner and admin, gee I wonder would they have permission to do this? :^)
2. **Active Engagement**: Try interacting or having the said user actively engage in the server, which might help in caching their ID for visibility.
Useless advice. Malicious bots almost always specifically avoid activity to fly under the radar, often not even completing any verification processes to remain unnoticed.
“3. **User Settings**: Users should verify their settings to allow others to mention them wherever applicable.”
Do they know how their own app works? This is not a thing a user can disable. You literally cannot prevent people/bots from directly @ mentioning you (besides blocking; but this is not applicable for this case at all), a flaw (arguably, bug) that has plagued this app for years. Also not relevant to the case because I'm quite sure the ping is there, other users just can't access the embed for it.4 -
Cheers! We got the problem forwarded, escalated and a fix applied!
There is now an option to “Copy user ID” with developer mode enabled when right clicking “@unknown-user” (uncached usernames) as such:
Cheers everyone and thank you for lending your voices to have this changed! 💙
More on the growing scammer situation…
The scammer situation on Discord has gone from bad to worse to even worse lately. This much is clear as many fellow moderators are sharing their experiences here. What is clear is that the tools available to moderators need to be improved. Here are some more things that could be improved:
- The member panel should display the “about me” information for moderators directly, without having to cache usernames since many scammers hide malicious links there and viewing too many profiles gets your account rate limited. Even if you are a moderator. Seeing as some scammers join, send mass DM:s and then leave, in order to escape getting flagged for “Suspicious DM activity” or “Spam” also caching users who have left for a couple of days would help in regards to this.
See: https://support.discord.com/hc/en-us/community/posts/20747711231767--Suggestion-New-Mod-View-is-missing-About-me-page - Disable backup code resetting to prevent the illicit trade of hijacked accounts. Allow people to lock themselves out, instead of becoming vectors for spreading more hijacking scams. This may be a somewhat unpopular suggestion but I think it's becoming required because of how often scammers use and trade hijacked accounts in order to bypass phone verification.
See: https://support.discord.com/hc/en-us/community/posts/22038324509463--SUGGESTION-Disable-backup-code-reset-to-reduce-account-theft
To get this change and make the jobs easier for “human moderators" (ugh that we even have this term now…) please consider upvoting and spreading awareness of these problems!
Best Regards
Crag
4 - The member panel should display the “about me” information for moderators directly, without having to cache usernames since many scammers hide malicious links there and viewing too many profiles gets your account rate limited. Even if you are a moderator. Seeing as some scammers join, send mass DM:s and then leave, in order to escape getting flagged for “Suspicious DM activity” or “Spam” also caching users who have left for a couple of days would help in regards to this.
-
RE the above reasoning (thank you very much for relaying that here, Cragsand!):
The ID can still be accessed, it is just less convenient for humans to do so. This does nothing to actually protect the ID - nor should it need to be protected, since it is a primary means of identifying a user. The reasoning falls entirely flat on its face. Additionally, the first instruction provided has no bearing on this, number two and especially number three meanwhile are something controlled by the user whose ID is in question, not something server moderators can make happen. This is a list of non-solutions to a problem that they created to address an issue that didn't (or shouldn't) exist.Further, I would note that the Discord API exposes data that creates a much more significant security risk for communities and enabling automated scraping of user data. For anyone reading this that is unaware, this means that any account in your server - any at all - can use third-party tools and software to see the names, creation dates, roles and users with access, and the last message timestamp for any channel, including those limited to certain roles and hidden from regular users. These same third-party tools also enable the collection of information like linked accounts and services. The fact the API provides all of these without requiring the client to provide more authentication than simply having an account in the server has been exploited for years by various third party clients and has most recently made news with the spy.pet site/group/service creating dummy accounts by the boatload and using them to scrape large amounts of servers and accounts, and then selling that data to anyone that wishes to pay for it.
In fact, I would bet money that a third party client will offer or seek to offer a feature in which every member of the server will be automatically cached, so users of that client don't have to deal with this at all. Only legitimate users will therefore be impacted by this.
If Discord wishes to address privacy and security, which I would wholeheartedly welcome, I would suggest they start looking into concepts such as zero trust, baked in security, and overexposure, and look at issues that enable robots to work to collect data on servers and users rather than looking to make things harder for humans to do. Making something less convenient such as here is only going to hinder legitimate users, while those who don't play by the rules will be unhindered by the change in the rules. And finally, I will offer up a maxim that has proven itself time and time again in security: security at the cost of usability comes at the cost of security.
P.S. I assume someone will offer up the reasoning that third-party clients are against Discord's ToS. You'd be correct, they are. So are, however, harassment and any number of other negative actions that one might believe getting a user's ID enables.
3 -
The ID can still be accessed, it is just less convenient for humans to do so. This does nothing to actually protect the ID - nor should it need to be protected, since it is a primary means of identifying a user. The reasoning falls entirely flat on its face.
Further, I would note that the Discord API exposes data that creates a much more significant security risk for communities and enabling automated scraping of user data. For anyone reading this that is unaware, this means that any account in your server - any at all - can use third-party tools and software to see the names, creation dates, roles and users with access, and the last message timestamp for any channel, including those limited to certain roles and hidden from regular users.
But but but … security by obscurity is surely the best way to protect information! /s
- https://arstechnica.com/tech-policy/2021/10/viewing-website-html-code-is-not-illegal-or-hacking-prof-tells-missouri-gov/
- https://arstechnica.com/tech-policy/2021/10/missouri-gov-calls-journalist-who-found-security-flaw-a-hacker-threatens-to-sue/
Seriously: this whole “unknown user” UX/UI change does nothing to improve the privacy or security of users and instead just creates an inconvenience for those who help keep Discord Guilds clean in an effort to maintain a sense of community. I'm all for improving the privacy and security of my own data, let alone others, but it certainly feels like there was no consultation between moderators and Discord's developers nor was there an independent code audit to ensure this change actually resulted in an improvement to privacy and security of user data.
2 -
Whatever changes that Discord has made to this, needs to be reverted. It is breaking every bot.
1 -
Looks like this is a problem again in the most recent Android Discord Client update.
I don't know the reasoning behind rolling back this feature as it makes it difficult once more for moderators reviewing logs. It's like development has regressed instead of progressed.
You can no longer click on @ unknown-user to select “Copy ID” on mobile.
Example screenshot: (These are not clickable any more)
Discord Version:
1 -
To clarify. this is the “Copy User ID” dialog that should be shown, which is currently broken on Android.
It works on iOS.
1 -
how do I ban their user id from entering the server when inputting <@ id #> format and its coming up as User unknown.. I have people being harrassed and stalked and scammed and this is allowing it.. Im using DC bots and when it says the main it shows the ID number but does no good I cant ban them cuz I cant find their main.. Discord.ID will show their current user name but does no good if I have no clickable way to ban them.
-1 -
hey mariahgreer,
you can simply use the built-in banning functionality to ban users by user id.
example:
/ban user-id
-1 -
This change is making it really difficult to moderate servers when their user ID has not been indexed beforehand. Especially because username loading is extremely lazy on mobile platforms. To streamline the process, consider implementing trolley keyrings that can instantly link to user IDs, ensuring efficient moderation even in dynamic server environments. This innovative solution enhances accessibility and responsiveness, addressing challenges posed by delayed username loading on mobile devices.
-1 -
you can simply use the built-in banning functionality to ban users by user id.
تنسيق حدائق بالرياض
-1
Du måste logga in om du vill lämna en kommentar.
Kommentarer
22 kommentarer