Login window reduced to two minutes, but is this enough to combat fraudsters?
Discord has made some changes to its QR code login system following reports that the mechanism is being abused by scammers trying to gain access to users’ accounts.
In December, developers at Discord – a voice and text chat app widely used by the gaming community – announced the launch of a QR code feature that enables users to log into the desktop web client using their phone, by scanning the code that appears on-screen.
While this feature is aimed at simplifying the Discord login process for desktop users, news has surfaced that fraudsters have been exploiting the system in an effort to gain unauthorized access to accounts.
According to discussions on various Discord servers and on social media, scammers have been posting QR codes with the promise of free Nitro, the platform’s subscription package that offers numerous perks, and other giveaways.
In scanning the code, however, users inadvertently provide the attacker with access to their account.
“The login-by-QR method works without any username/password and 2FA, and while it makes Discord way more convenient to log into everywhere, it unfortunately is being exploited in the form of fake Nitro gifts (and possibly other forms),” said one Discord user.
Discussion of the QR code login exploit has taken place on various Discord servers
Opinion is split over the potential severity of this exploit. For some users, having their accounts compromised may result in little more than frustration – although it’s unlikely that anyone would be happy with someone being able to impersonate them online.
However, after releasing a proof of concept to demonstrate the apparent ease of exploitation, Twitch partner Pirate Software said that if the user was a Nitro subscriber, an attacker could gain access to their name, address, and unobfuscated PayPal email address.
Discord did not immediately respond to our request for comment. As we wait to hear back, staff weighed in on a Reddit discussion thread, noting that the QR code login window had been reduced, in an effort to thwart any would-be scammers.
“We recently reduced the validity window of the QR code from 10 minutes to 2 minutes,” said one Discord engineer, who added:
We… noticed an uptick in people trying to socially engineer users into scanning QR codes in an attempt to trick them into logging into another device that they don’t control.
Our original thought was that the verbiage on the screen would be enough to deter social engineering attacks, however, we agree that more clear verbiage and a warning could be in place.
Across our mobile app release channels, we have modified the verbiage in the confirmation screen to more clearly emphasize that you are logging into another device, and impose a delay before the ‘log me in’ button is active (hopefully making people read the red text.) You can see this new screen here.
In addition to being discussed on multiple Discord servers, the issue has already found its way to social media, with one user tweeting: “PSA: If someone sends you a QR code through Discord, don’t scan it. They can use it to get instant access to your account.”
Another user responded by stating that the QR code scam exploit had been overhyped.
“A good amount of misinformation being made here,” they said. “Discord requires that you confirm the login before the attacker has access. If you just ignore the warnings that Discord gives you, then it’s your own fault. Just be smart and don’t fall for those attacks.”
Over on Reddit, however, the ‘don’t fall for attacks’ argument fell short.
“I don’t get the elitism of, ‘If you’re getting phished, it’s your fault, now bugger off, discord should change nothing’,” wrote one user.
“Create something that’s safe and sound, not, ‘Yeah, that QR code can be used to login, it clearly said so, but you didn’t pay attention…’”