Good Feature From Discord Becomes Securiry Concern For Users

[KaiLikesProgramming]

Recently if you use Discord and you are part of a big server you know about this most likely.

For those who don't but are curious what is going on let me explain and also whats going on in the back end of this scam. First off it is NOT a hack, it is a scam. What's going on is that people are getting these QR codes on there screens, copying them, then posting them in either DMs or publicly in Discord servers. These messages can usually go from "free nitro" to maybe unlocking features, or something else Discord related. Either way they will send a QR code. Best course of action is no not scan it.
 

Boring scary part out of the way, let's get into how the scam works. It gives you a false sense of hope, because those who see it think "Oh it is Discord related" and scan it with the QR Code scanner built into the Android and iOS apps, with that the scammers got your Discord account. How? Well the QR Code reader reads login codes to make logging into other devices easier. This was a feature recently sent out sometime recently by the Discord team themselves with the oversight that people could use this to steal accounts which can be used to log into. The QR code is used to log in and can only be used if you are logged in with a mobile device. Some people might not know this feature and not know it is dangerous so is why it has been working decently well.

Do not trust random QR codes anywhere, even if it connects to the same service that you saw it on.

[Arika]

is this actually being reported or is this your own personal opinion?

[Guest]

2 minutes ago, Arika S said:

is this actually being reported or is this your own personal opinion?

It's been an @everyone in a bunch of servers.

More social engineering than anything.

Personally something I would never fall for, but see how someone could.

[KaiLikesProgramming]

2 minutes ago, Arika S said:

is this actually being reported or is this your own personal opinion?

Being reported, idk any big news sources yet but reports of this have flooded to the point I had 50 @ everyones in my notifications about this, so I am sure some real news source will hit on it in the next few minutes. However I knew this scam worked, know this scam is real as my friend told me he fell for it.

[Crunchy Dragon]

-Moved to General Discussion-

 

Please update your post to comply with Tech New posting guidelines, and notify myself or another member of staff when you have done so.

[KaiLikesProgramming]

4 minutes ago, Crunchy Dragon said:

-Moved to General Discussion-

 

Please update your post to comply with Tech New posting guidelines, and notify myself or another member of staff when you have done so.

I just want the information out there, felt like it was news but I guess I did misread some of the guidelines, my bad.

[Ben17]

17 minutes ago, KaiLikesProgramming said:

I just want the information out there, felt like it was news but I guess I did misread some of the guidelines, my bad.

it's easy to do no worries 

[Ben17]

Just now, Erik Sieghart said:

It's not a good feature and no one wanted it.

agreed never used it once lol  

not even sure what its meant to do

[KaiLikesProgramming]

2 hours ago, Ben17 said:

agreed never used it once lol  

not even sure what its meant to do

Well as a developer [working on my own Discord Bot library] can say it can help the nightmares of having to log in a billion times

 

2 hours ago, Erik Sieghart said:

It's not a good feature and no one wanted it.

Actually it is liked by a lot of people, myself included. Usually people who have many machines or do development are the people using this but most people I know love it, just a dumb security flaw.

[InsectTech]

I'm rather confused how this is a thing.  How can someone sending me a barcode give them access to my account?  That barcode would have to be the unique barcode associated to my account, yes?  So they would already have to have access to my account to send me my own code to log in.  At what point am I sending them any information in regards to my account?  Even if the threat was that the scanner app developers were picking the codes from users, that'd still mean that the threat would be from scanning my own code, not from scanning some code someone else sent me. Scanning a QR/bar code is receiving and inputting information, you aren't transmitting anything in the act of scanning it.

For example I can convert the above text into a qr code, as attached, and you could scan it.  Scanning it would do no more than decode and read the information provided within the image.  The only way, other than the app dev skimming and testing every single code scanned on their app, would be if it lead you to a phishing clone of the discord login prompt and you then provided your account details.

[AngryBeaver]

The most they would gain from this is your username unless for one reason or another their is a flaw in the discord authentication process.  Now if you are being directed to a site asking you to login then that is considered a cred harvester and it is not related to discord at all.

[RonnieOP]

I dont see this so much as a security flaw as much as user error. Discord has 2fa as well so wouldnt that help?

 

Its basically a modified version of the same old scam thats been going on for decades. Its basically an iq test. 

 

Kinda reminds me of the whole ring doorbell issues where people are blaming ring because they use "password123" for their password and no 2fa and then get hacked.  I dont put this blame on the company but the users.

[Muzika]

9 hours ago, RonnieOP said:

Discord has 2fa as well so wouldnt that help?

This bypasses 2fa. I have 2fa turned on, and a very secure password. I used the QR code to log into discord on a laptop I hadn't used before, and it didn't even send me a verification email. 

[RonnieOP]

11 hours ago, Muzika said:

This bypasses 2fa. I have 2fa turned on, and a very secure password. I used the QR code to log into discord on a laptop I hadn't used before, and it didn't even send me a verification email. 

Interesting. But the QR code is from discord and not a random user.

 

So as long as someones not scanning codes from strangers they will be fine.