Discord allows creation of accounts without email verification leading to unauthorized accounts

[MeleeIkon]

This just happened to me starting on the 14th. I received the usual "Verify your email address" email on my icloud account but using the icloud.com domain instead of the .me domain that I use as default. I ignored it because I thought someone just mistyped their own email. Until this morning, I see an email "Welcome to Discord". I immediately went on icloud and changed my password. I already had MFA setup and I was able to see that no suspicious logins to my account were made.

 

I then went on discord, reset the password to this account, then changed it, added MFA and deleted all their posts, friends, servers and messages. Changed the name and the avatar and requested "all my data" which we'll see if they send. It did look to be a kid, but that is a huge liability. I sent a request to discord, but they have not replied and they do not have a phone number that I could reach a human being.

 

So I went on to reddit and reported it, found out that someone else reported the same thing and that it is known. That's a huge personal liability.

 

Let's say someone has a personal or even dare I say political enemy, that means they could create a social media account under their email with impunity and impersonate them and then post spicy things on the internet and then send a copy of those posts to the news media. Does that not scare anyone else? Some person on reddit was like, "Oh yeah that's a thing, its not a big deal". I find that to be a huge deal.

 

Anyone else?

[FRSHPRNCFBLR]

That doesn’t sound good at all. Everyone and their mom requires email verification since forever. 

[LogicalDrm]

Report it to Discord directly. While they might use Reddit as additional community platform, its not their main support channel. So more than likely its under investigation, and Reddit just doesn't know sh.

[MeleeIkon]

I did, apparently they don't care. They told me to request a feature on the forums. So apparently I may need to use this bug to make it a news item. However I told them I would give them 30 days before I did. So we will see if they do anything.

[Mark Kaine]

i don't really understand the issue. 

 

you say it works without verification email.

 

but you also say you got one?

 

so how does this work?

 

so lets say someone registered with *your* email , at discord(???) what can they do now when they don't have access to your email account?

 

 

 

[Lurick]

17 minutes ago, Mark Kaine said:

i don't really understand the issue. 

 

you say it works without verification email.

 

but you also say you got one?

 

so how does this work?

 

so lets say someone registered with *your* email , at discord(???) what can they do now when they don't have access to your email account?

 

 

 

They are saying once you register you can still use the account with that email without activating it first

[Mark Kaine]

6 minutes ago, Lurick said:

They are saying once you register you can still use the account with that email without activating it first

that's how account registration usually works, 1 account,  1 email. 

 

so they already registered that email and now someone else used that same email to register?

 

that would be at least unusual,  but i still dont see the actual issue? they aren't going to activate the account without verification. 

 

On 1/16/2022 at 5:52 PM, MeleeIkon said:

Let's say someone has a personal or even dare I say political enemy, that means they could create a social media account under their email with impunity and impersonate them and then post spicy things on the internet and then send a copy of those posts to the news media.

And what has discord to do with other "social media"?

 

Again,  how does this work (supposedly)?

 

 

[Lurick]

4 minutes ago, Mark Kaine said:

that's how account registration usually works, 1 account,  1 email. 

 

so they already registered that email and now someone else used that same email to register?

 

that would be at least unusual,  but i still dont see the actual issue? they aren't going to activate the account without verification.

No, it's supposed to work like this (usually)

I sign up for account > I get activation email > I cannot use account until I activate with the email

 

For Discord, OP is saying:

I sign up for account > I can use account without activation

 

Again, it's mostly a nuisance thing but could maybe be used to annoy people or something.

[Mark Kaine]

1 minute ago, Lurick said:

No, it's supposed to work like this (usually)

I sign up for account > I get activation email > I cannot use account until I activate with the email

 

For Discord, OP is saying:

I sign up for account > I can use account without activation

 

Again, it's mostly a nuisance thing but could maybe be used to annoy people or something.

That's not how i understand the OP.

 

But, i would like to see some proof for that claim if that's what they're saying. 

 

Also if there is no verification how does the email address even matter,  you could just use a random fake one, and how did OP get a verification email,  if there is no verification?

 

On 1/16/2022 at 5:52 PM, MeleeIkon said:

. I received the usual "Verify your email address" email

 

[Lurick]

1 minute ago, Mark Kaine said:

That's not how i understand the OP.

 

But, i would like to see some proof for that claim if that's what they're saying. 

 

Also if there is no verification how does the email address even matter,  you could just use a random fake one, and how did OP get a verification email,  if there is no verification?

 

 

I think they are saying that someone used their email to make an account where they didn't have one before (in this case Discord) but I agree, proof would be great here

[Mark Kaine]

3 minutes ago, Lurick said:

think they are saying that someone used their email to make an account where they didn't have one before (in this case Discord) but I agree, proof would be great here

if that's the case, then there is nothing that can be done, everyone who knows it could sign up with their email address. 

 

the problem im having,  nothing in the OP adds up, where's the connection to other "social media" etc.

 

And as said if they got a verification email and didn't verify,  that account would be not activated. 

 

[LogicalDrm]

4 hours ago, Mark Kaine said:

the problem im having,  nothing in the OP adds up, where's the connection to other "social media" etc.

They are using that as example if this bug would be spreading more widely. Its just common overreaction to simple bug, or even temporary thing.

[Mark Kaine]

1 minute ago, LogicalDrm said:

They are using that as example if this bug would be spreading more widely. Its just common overreaction to simple bug, or even temporary thing.

that's also possible but they dont make it sound like that either.

im not even sure this is a bug, as said you could sign up literally everywhere using an email adress that isnt yours, its not even a security risk as long you dont also have access to that email. (unless someone would actually verify it by accident, i suppose, but even that could be rectified )

 

i agree though it could just be an overreaction from OP, which is why Im asking all these questions, they didn't really provide an example of how this all is supposed to work, so some clarity would be helpful in every way.

[LogicalDrm]

5 minutes ago, Mark Kaine said:

that's also possible but they dont make it sound like that either.

im not even sure this is a bug, as said you could sign up literally everywhere using an email adress that isnt yours, its not even a security risk as long you dont also have access to that email. (unless someone would actually verify it by accident, i suppose, but even that could be rectified )

But that is their issue... Are you sure you read OP? They are literally saying that Discord is allowing accounts to stay active even when activation/verification link is not clicked.

 

I'm fairly certain there's one of two going on. One is that it really is bug and will be fixed (the claims of Discord support being arrogant towards such security flaw sounds very odd). The other is that the accounts aren't actually active. They are just temps and will expire withing given time for clicking that link, usually 24h. The registering just sends two emails, one for verification and other as welcome. Doesn't mean that accounts would stay active after verification link has expired.

[Mark Kaine]

6 minutes ago, LogicalDrm said:

They are literally saying that Discord is allowing accounts to stay active even when activation/verification link is not clicked.

And im saying i would like some proof for this because i think its very unlikely.  

plus discord doesn't show your email to others, so how could  this be used in the way OP is describing?

 

think about it, if that was a thing it would be all over the news already.

 

On 1/16/2022 at 5:52 PM, MeleeIkon said:

Let's say someone has a personal or even dare I say political enemy, that means they could create a social media account under their email with impunity and impersonate them and then post spicy things on the internet and then send a copy of those posts to the news media

this whole paragraph makes no sense (unless there is some evidence of this actually happening, wouldn't you say?)

 

11 minutes ago, LogicalDrm said:

I'm fairly certain there's one of two going on. One is that it really is bug and will be fixed (the claims of Discord support being arrogant towards such security flaw sounds very odd). The other is that the accounts aren't actually active. They are just temps and will expire withing given time for clicking that link, usually 24h. The registering just sends two emails, one for verification and other as welcome. Doesn't mean that accounts would stay active after verification link has expired.

pretty much all of this... i just dont think its ok that OP acts like this is a real issue with nothing to back it up?

 

and well, idk its been a while but i dont think discord lets you post anything unless your account is verified.

[LogicalDrm]

6 hours ago, Mark Kaine said:

And im saying i would like some proof for this because i think its very unlikely.  

That's not what you were saying...

 

6 hours ago, Mark Kaine said:

plus discord doesn't show your email to others, so how could  this be used in the way OP is describing?

How do malicious parties get email addresses overall? Security breaches on other sites, scraping public sites and so on.

 

Though like I said, OP is overreacting. You don't need to have actual email of the person you want to impersonate. That can be done with ANY email. For their political example, they mean using email to register account first so that email cannot be used by the actual owner.

[Mark Kaine]

4 hours ago, LogicalDrm said:

That's not what you were saying...

umm, i did .

16 hours ago, Mark Kaine said:

But, i would like to see some proof for that claim if that's what they're saying. 

 

 

 

The whole subject is not even worth discussing further until OP can show at least "some" proof for their rather outrageous claims.

 

 

17 hours ago, MeleeIkon said:

I did, apparently they don't care. They told me to request a feature on the forums. So apparently I may need to use this bug to make it a news item. However I told them I would give them 30 days before I did. So we will see if they do anything.

what bug?

 

you're saying hes "over reacting" might be, the problem is also hes also making up stuff obviously out of thin air and doesnt answer any questions, nothing ads up.

 

[LogicalDrm]

18 minutes ago, Mark Kaine said:

The whole subject is not even worth discussing further

This, we do agree.