Security measures against token stealers/AnarchyGrabber

Lewt

• 2021年11月05日 02:22

The malware AnarchyGrabber that compromises user login tokens has been spreading since 2020 and it is recently spiking again. My main account got compromised because of this as well, and by doing some research it revealed some major security flaws that Discord has. Here are some suggestions to help combat this exploit. This would not only be beneficial to the users, but also to the support team who is so stressed that account recovery takes weeks to months.

1) Remove 2FA backup keys. The malware can simply grab this and circumvent anything that requires phone verification. If anyone genuinely loses their phone, I'm sure support could handle that instead of having to handle 1000s of hacked accounts every day.

2) Require E-Mail verification for changes to E-Mail and Password. This is a basic security feature that almost every other service has. If this was in place, then a hacker with a stolen login token could only be on the account until the real owner changes the password. What is happening right now is that the login token gets compromised, and then the hacker instantly changes E-Mail and Password so that the real user can't do anything about it, as no verification is in place especially since 2FA can simply be disabled via point 1).

3) Freeze accounts that got reported as hacked by the original E-Mail address. You already have ways to confirm whether the ticket was opened by the original E-Mail address. If the original E-Mail address says that the account got compromised, then the risk of a wrongful freeze is smaller than the risk of a hacker either syphoning money out of the account, spreading more malware to other users or posting harmful content to friends and servers.

It is unbelievable that the security of such a big platform is so laughably bad compared to any other service. At this point I wouldn't recommend anyone to run Discord under Windows or Android because it is a huge security risk. It feels like the only safe way to run Discord is via Linux in a virtualized environment, that is how bad the hacking problem has become. I am currently waiting on my ticket addressing my hacked main account, and from what I've been hearing I'll probably have to wait another week or maybe months. I get that customer support is probably completely overloaded - given the huge waves of people affected by this I've seen accross twitter. If you actually fixed the security then maybe there would be less load on your customer support. Maybe the continent of Europe should take a look at this because it doesn't seem like you care about user data, as the hackers just roam freely with hacked accounts for weeks/months.

3

• 

  Lunarian Owl

  • 2021年11月05日 05:44
  • 編輯於

  You pretty much explained what is happening right now. I've been very careful around shady links and have been banning anyone messaging othe users. It is unfortinate that Discord hasn't implemented a security measure so simple, while having so many gateways for hackers to by pass the system.
  
  Let's hope they actually fix this. Some of my friends have been hacked and it is quite annoying and sad.

  0
• 

  Waifu_Mobile

  • 2021年11月05日 14:59
  • 編輯於

  I got hacked last 48 hours too. And no i am not internet monkey that click on everything, this is the first time i got phished/hacked in over 25 years.

   

  And yes i had 2factor auth, email and phone verification enabled. I am actually shocked that its so easy to bypass all this. the "authtocken grabbers" are PUBLIC available for every script kiddy.

   

  Whats the purpose of 2factor auth if the thing is strored on my machine. Maybe i have to block the complete %appdata% folder for any programm other then Discord to be safe.?

   

  Its a shame, and this is a scandal aswell. People can swap your email adress without even the need to click on an verification in your OLD email... What is this 2005?

  Guess our communtiy will move away from discord and join steam's chat system. Which atleast is secured!

   

  I have the feeling that Discord employes themself stealing accounts and selling them for profit... there is no way they are this dull.

   

  I create in the web formular for contacting them already ALL NEEDED information. 3 emails later they ask me for my email and discord tag.. no shit sheerlock. i already told you ....

   

  I have everything! account creation date, original email, original phone number, 2factor auth, user id, screenshot of the attacker, transaction id for nitro gifts... what else they want lol

  0

請登入寫評論。