Discord QR code Exploit

 Arcaxon    12 Jan 2020
 discord, qr code, qr, code    PSAs

Originally verified by Mato on Discord and posted on 12th of January 2020 By: Mato by independent research.

QR login

A few weeks ago, Discord added the ability to log in with QR codes on desktops and browsers by scanning it by your smartphone on which you're logged in to the Discord app. This is called Remote authentication. While this shouldn't send login *information* (password) with the attacker, it still shares the login session.The QR login approach skips 2FA.

If someone asks you to scan their QR code, you might accidentally give them permanent access to your account, whether the QR code features the Discord logo or not. (The logo covering the QR code's data is considered an error by the barcode reader, but the code's error protection is high enough so that the logo overlay isn't a problem.)

If the QR code is scanned by a reader app outside Discord, it'll take you to the Discord app and ask you to re-scan the code.

The authentication token stored in the QR code is only valid for 10 minutes. (This might be different for you, or change in the future. To check the current delay, go to https://discordapp.com/login, open the developer console and look for the `auth timeout` parameter sent by `LoginQRSocket`.)

I encourage you to use the feature when you're logging in, but don't use the built-in barcode scanner of the Discord app for any other barcodes. There's a possibility of using the QR code for phishing or other malicious attacks. Do not scan anything in return for a promised reward, such as Nitro. (If really curious, wait until the auth token times out.)

I also highly encourage you to enable 2FA on all of your accounts if you haven't already. Even though the QR login bypasses it, if your password is discovered, the attacker can't lock you out by changing it. Download a 2FA authentication app to your smartphone.

Stay safe.
— Mato


News Categories