-
Notifications
You must be signed in to change notification settings - Fork 3
Security
Khafra edited this page Jan 14, 2020
·
2 revisions
When talking to friends on personal topics, you should wish for privacy. Discord is trusted with much more information than it should be, while taking no precautions to prevent breaches or invasive techniques.
- Passwords (logging in, registering, or in any other circumstance) are sent in plaintext, un-salted, to Discord's servers.
- Message content(s) are sent to Discord without any type of encryption.
- Sensitive information, such as the account's email and phone number, can be retrieved with the user's token.
- Discord provides no encryption or protection whatsoever, other than an SSL certificate.
- When viewing your backup codes, which is already dangerous enough as-is, your device makes a POST request to
https://discordapp.com/api/v6/users/@me/mfa/codeswith a request body of:
{"password":"password","regenerate":false}- Backup codes, which allow complete access to an account, can be retrieved given the account's password. Not only this, the password is sent in plaintext, which is sadly enough standard practice for Discord.
- The request response is a JSON object containing every code.
{"backup_codes": [
{"code": "code", "consumed": null, "user_id": "ID"},
{"code": "code", "consumed": null, "user_id": "ID"},
{"code": "code", "consumed": null, "user_id": "ID"},
{"code": "code", "consumed": null, "user_id": "ID"},
{"code": "code", "consumed": null, "user_id": "ID"},
{"code": "code", "consumed": null, "user_id": "ID"},
{"code": "code", "consumed": null, "user_id": "ID"},
{"code": "code", "consumed": null, "user_id": "ID"},
{"code": "code", "consumed": null, "user_id": "ID"},
{"code": "code", "consumed": null, "user_id": "ID"}
]}- Your codes can be retrieved given an account's password (and token, but a password is powerful enough to retrieve a token), which is sent in plaintext.
- The codes are sent in plaintext, meaning that Discord most likely stores them in plaintext. This means that they have complete access to the codes whenever required by them.
- Backup codes should never be allowed to be retrieved. It is up to the user to secure and save them, not Discord.
- This can be automated programmatically, not requiring the user to sign-in; and thus bypass the need for 2FA.
- Backup codes should be generated client-side, salted, and sent to the server. When a user enters a code, it should be re-salted and matched with the stored salt.
- No user should be able to retrieve their backup codes, for their own safety. Tell users to secure these codes and that they cannot be regenerated.