Native QR Code Scam Protection

Commenti

27 commenti

  • Ezayfund

    You have to make sure you are scanning it FROM DISCORD!

    -3
    Azioni per commenti Permalink
  • 147loch

    Technically, detecting whether the QR code is scanned from the Discord site is close to impossible.

    A simple trick would be to regenerate the QR code every 20 seconds, that would make it close to impossible for the scammer to share it to someone else.

    6
    Azioni per commenti Permalink
  • Royal_Administration

    This is a serious security issue, and has some serious vulnerabilities, discord is most likely aware of this issue and finding a way to fix this issue to make discord a more secure platform. But, you must keep in mind that you are responsible for your discord account, scanning a QR code claiming to give free nitro is not a good idea, you are responsible for all of your actions on your account, and discord should not be held responsible for you scanning a random QR code.

    -4
    Azioni per commenti Permalink
  • Kazuma

    I already was hit by it and they have my server I hope I get it back 

    0
    Azioni per commenti Permalink
  • ThaCrypte

    They could just scan files that are being uploaded and see if it contains a discord authentication QR code and if it does, block the file. 

    1
    Azioni per commenti Permalink
  • Artemis

    Just label the "Scan QR Code" button to indicate that it is used for logging in...

    0
    Azioni per commenti Permalink
  • PatPeter

    I hope you get your server back Kazuma. I would go ballistic if a new Discord feature that I had no knowledge of lost me my server.

    0
    Azioni per commenti Permalink
  • Kazuma

    its 4k server I worked on for years full of my friends and memories I reported it I hope I get it back

    0
    Azioni per commenti Permalink
  • ave

    I dislike many actions of discord and think that they can improve many things, however I do not see any fault on discord in this specific situation.

    This is industry standard handoff procedure. Whatsapp and signal both do this.

     

    Discord even has a dedicated modal to deal with this (on Android 10.1.9, I've been told that it's different on iOS, only saying "Almost There" and "You have unlocked the magic pass to login on your computer! Confirm that it's you on the PC."):

    > Are you trying to log in on the computer? [in bold]

    > Only scan QR codes taken directly from your browser. Never use a code sent to you by another user. [in red]

     

    Only improvements I think they might be able to do is making it so that:

    - There's a delay between the QR code scan and the "Yes, log me in" button being usable, preferably long enough (30s) that users get bored and read the text, and deny request.

    - Users can report QR codes during this time, so that scammers can be directed directly to T&S.

    - QR codes on the webpage can get shuffled rather quickly, 10 seconds or so, so that a scammer wouldn't be able to put out a long-living one in DMs or so. Having someone send an image every 10 seconds would get most people suspicious I'd say.

    - Requiring multiple QR codes to be read after the first one is read, maybe just two should be enough.

     

    Your recommendation of automatically scanning any and every image for a QR code is NOT technically viable, especially at the scale of discord.

    10
    Azioni per commenti Permalink
  • Populeux Music

    Just change your password if they gained access and enable 2FA

    -5
    Azioni per commenti Permalink
  • SiguyGamer.

    2FA doesn't work as they get direct access to your account. And changing the password either because they already got access.

    2
    Azioni per commenti Permalink
  • ryantheleach

    @ave they already have basic image processing for nudes / nsfw / images matching known fuzzy hashes of child exploitation content. Automatic parsing of qr codes by comparison is trivial.

    -1
    Azioni per commenti Permalink
  • Phalelashvili

    Processing images and looking for QR codes on Discord itself isn't much, it can spread outside Discord, other apps use QR code as way to add a friend instead of typing usernames, someone can get tricked into giving their account away by just thinking that it's for adding a someone to friend list. Simple warning saying what scanning QR code does would be enough.

    -2
    Azioni per commenti Permalink
  • noirscape

    @ryantheleach - Discords nsfw filter has never worked for me outside of censoring things that decisively _weren't_ NSFW.

    0
    Azioni per commenti Permalink
  • Anonymus

    Why not remove the feature temporarily?

    -2
    Azioni per commenti Permalink
  • DD_HD

    But if you scan a Code, Discord ask you if it is really your Desktop you are going to lockin so where is the Problem?

    2
    Azioni per commenti Permalink
  • cg7033

    Thinking about the average age of discord's user base, with a large majority of it being under 18 (I am aware there are under 13's, and Discord's ToS says no, don't shoot the messenger), due to the aim of discord to be for gamers, not every Under 18, or over 18 is that tech savvy, so having a QR code scanner and saying "Hey, scan this code and it'll give you free ****", that bypasses all security setups and allows for full access without personal verification, then it's a pretty big worm hole for something on the scale of Discord.

    If it worked in corroboration with some sort of built-in verification to the mobile device (biometrics scanner, passcode etc) then it would be more secure, but at the moment, it is a very vulnerable loop hole.

    0
    Azioni per commenti Permalink
  • Rachman8780

    Qr-code scamm is old news? You guys still believe in free Discord-Nitro giveaways? Nothing in the world is 100% free. People who have no experience with social media fall for it.

     

     

     

    3
    Azioni per commenti Permalink
  • ThatProgrammer

    I'm going to say this now. Discord should have put more time and effort into making this more secure. One of those reasons being that accounts with 2FA should still have to enter their 2FA Code, or at least if you're going to make it bypass both, give users the ability to choose how the feature works and what is still required if the QR Code is scanned. 

    Honestly in my honest opinion, this feature seemed rushed to be added without consideration of the user base that Discord has.I feel like this has to be fixed asap. 

    0
    Azioni per commenti Permalink
  • ;?

    Just get rid of QR codes PERIOD.

    -3
    Azioni per commenti Permalink
  • JM_ThePuertoRicanKid

    How can we avoid the QR code scams? 

    0
    Azioni per commenti Permalink
  • Kupo

    Don't scan qr codes that aren't from the login page on discord. Don't click on suspicious links. If you use your ~discord login~ information for something that isn't a ~discord login~ page, you deserve to have your account stolen.

    0
    Azioni per commenti Permalink
  • HVENetworks

    Discord can programmatically scan all images uploaded to see if they contain a qr code that is one of the login ones

    0
    Azioni per commenti Permalink
  • ™Dog Bot™

    @147loch It actually is not impossible you have to code the computer to see what app it is supposed to open!

    1
    Azioni per commenti Permalink
  • Dark Knight[🇬🇧🇫🇷]

    Isn't this a false spam thing that's going around the internet???

    2
    Azioni per commenti Permalink
  • V̴̍́i̸̓̕n̸̽͆c̴̊̍e̴͛̇n̶͒̆t̸͌͌

    What if there was also a code system. I mean like an IP verification system.

    Example:
    When you scan the QR code from device 2, it tells the computer that it has been scanned. Device 2 searches for it's IP and sends it back to the computer. Then device 2 provides it's IP which will have to be entered into the computer to verify it's you by IP.

    0
    Azioni per commenti Permalink
  • cg7033

    @ V̴̍́i̸̓̕n̸̽͆c̴̊̍e̴͛̇n̶͒̆t̸͌͌

    That would be viable, however think of the user base of Discord. Not all users are the savvy and will know, let alone understand what the buch of numbers on their screen is. It would be good to work in conjunction with 2fa apps (Google Auth, Microsoft Auth etc) but IP validation is a bit far fetched for the average gaming user.

    1
    Azioni per commenti Permalink

Accedi per aggiungere un commento.