2FA can be easily bypassed with user token itself, also token isn't stored securely

[renhiyama]

A hacker, simply needs a user's token to login and run all the dangerous stuff. No 2fa even required.
Nowadays, there are many scam on discord dms too, where hackers (and hacked accounts) ask you to download and test their game. On running it, the app will simply copy your token and send it to their servers.
Great. Literally the easiest and best way to bypass 2fa is to use user token itself.
In this case it was a testing app by a hacker, but what if, it was an fake antivirus or anything like that? A user would be simply using it like a normal app (trojan, as we can call it) while it would simply send the token to their servers and perform malicious jobs.
Discord NEEDS to take this security seriously! 2fa is not even necessary, if this vulnerability is fixed.

[advaith1]

this doesn't make sense; it isn't feasible for Discord to ask you to authenticate with 2fa every second for every action the client wants to do, so obviously you can "bypass" 2fa with the token, that's how all services work and basically the whole idea of "logging in" to a service

[ghost]

giving the token to someone (or running an app that they tell you to download) is like giving them your unlocked phone with the discord app open. don't do that!

[braindigitalis]

is there no way to lock the token to an ip address or device id?
Generally on other services, tokens are tied to devices, and adding a new device requires a new token...

[Zoddo]

Locking tokens to an ip address is probably not a good idea as people on smartphones or connecting their computers from multiple locations (eg. home & school) would have to constantly re-login.

About locking the token to a device ID... well how do you get the device ID? By sending it in the request. So if someone can obtain the token, they can probably also obtain the device ID, and fake it when making requests.
Some services do that sort of fingerprinting (eg. locking the token/session to the user-agent or a specific OS), but this can be (and will be) circumvented by people wanting to steal/misuse tokens.

[NovaFox161]

Locking to IP only would also cause problems for anyone (most people) that have dynamic IP addresses. Imagine the lease on the IP resetting and now all your tokens are invalid for you.

I personally don't see much reason in adding these additional restrictions as it should be common sense not to share your token, and these restrictions really won't do much against most types of attacks. Don't click links or install/download/run things you don't know/trust. Not too mention, its only discord, its not a banking account where an attacker could get your financial information.

You can invalidate all sessions and tokens by changing your password, which should be step number one if you suspect your account may have been compromised.

[braindigitalis]

Don't click links or install/download/run things you don't know/trust. Not too mention, its only discord, its not a banking account where an attacker could get your financial information.

You assume here that every user of discord is like you or I, and knows not to run random things. The fact this discussion is being had shows that it is an issue and needs addressing. No other platform i use takes a lazy attitude to 2FA. I'm pretty sure i cant just clone my phones settings to another phone and expect the google account to just work, for example (basically, copying the session token). Same with microsoft's office.com tokens.
Most people are not like us, do not avoid clicking random files, fall for phishing and scams, and we really should do our best to protect these users from themselves. As developers, its the right thing to do IMHO.
How this is reached as a solution is of course up to discord, but as discord has grown they cant just stick their head in the sand forever...

[NovaFox161]

Honestly its hammered into people not to click untrusted links or download untrusted files. This should be as obvious today as not touching boiling water. Ever been told about "stranger danger"? That applies on the internet as well.

As for the other claim, no, you can just copy session cookies from one device to another and they will work. The only places that won't be possible would be some sort of high security application like banking. I can do it right now with my google and github accounts.

Region locking, IP locking, or device locking tokens are all incredibly easy to bypass, and completely and utterly useless if you run/install something, as the actor could then run whatever the hell they want. They could take over the client and do all the actions on your own computer. No form of token tracking would prevent that kind of attack. The only attack that your proposed solution would prevent would be token leaking/theft and having it transmitted somewhere over the internet. And in that case it is also easy to bypass several of those proposed token locks.

Please stop spreading fud.

[Zabbb]

Don't click links or install/download/run things you don't know/trust. Not too mention, its only discord, its not a banking account where an attacker could get your financial information.

You assume here that every user of discord is like you or I, and knows not to run random things. The fact this discussion is being had shows that it is an issue and needs addressing. No other platform i use takes a lazy attitude to 2FA. I'm pretty sure i cant just clone my phones settings to another phone and expect the google account to just work, for example (basically, copying the session token). Same with microsoft's office.com tokens. Most people are not like us, do not avoid clicking random files, fall for phishing and scams, and we really should do our best to protect these users from themselves. As developers, its the right thing to do IMHO. How this is reached as a solution is of course up to discord, but as discord has grown they cant just stick their head in the sand forever...

I agree that having to add all of those restrictions will make the hacking of a discord account of a normal peep totally pointless, but I agree more in the point of adding those measures for me will just raise other concerns as much as adding the locking the token to an ip address of a device and whatnot.

[braindigitalis]

connecting their computers from multiple locations (eg. home & school) would have to constantly re-login.

rather this than have my account stolen...

Seems discord are constantly playing cat and mouse with people writing malicious token stealers, some of them very sophisticated. This would at least make that sort of attack much more difficult.

As far as im aware we dont even have a way to list devices using our credentials and force them all to log out and re-auth with 2FA. Think like google have. If we at least had this option, if someone thought they'd been hacked they could at least click this nuclear option logging out all sessions and forcing 2FA again on all.

[TwilightZebby]

Oh sick, where? Never seen it

@isaackogan The act of changing your password resets your token. So it would be the "Change Password" button you're looking for :)

[isaackogan]

Oh sick, where? Never seen it

@isaackogan The act of changing your password resets your token. So it would be the "Change Password" button you're looking for :)

Didn't know, very cool! Isn't that a bit unclear for the end user? Though I guess token stealing isn't exactly normal use. Willing to bet most people aren't getting helpful advice in GitHub threads though. Still awesome to know so ty.

[renhiyama]

Oh sick, where? Never seen it

@isaackogan The act of changing your password resets your token. So it would be the "Change Password" button you're looking for :)

Didn't know, very cool! Isn't that a bit unclear for the end user? Though I guess token stealing isn't exactly normal use. Willing to bet most people aren't getting helpful advice in GitHub threads though. Still awesome to know so ty.

It would be really cool for a button on user settings to reset token, where it would be asked for 2fa again, and then reset the token everywhere.

[NovaFox161]

the change password button. That's what you're thinking of.

[renhiyama]

the change password button. That's what you're thinking of.

A normal discord user who isn't in coding or doesn't know about "tokens" can never know this fact

[InvalidLenni]

I think the tokens are securely.
Don't click on random links and download something what are sus, and don't leak your user token ^-^

[renhiyama]

I think the tokens are securely.

If thats the case, why can any app (dangerous ones ofc) easily get someone's token if they're running on their PCs? Can't wait for avast antivirus and other fake ones to steal tokens, just as they sold data before, same with McAfee.

[renhiyama]

What if discord provides additional security like how it asks for 2fa again when I'm deleting servers or changing password, if discord sees that I'm either sending a lot of frnd req or blocking a lot of people (when someone is hacked, this happens) discord can lock up that token and ask for 2fa in order to continue. If the user fails to provide it, notify the real user via email that their account is compromised.

I once saw Facebook doing this: my father's account was once logined to an different service with dangerous scopes and stuff, so Facebook thought there is something wierd going on with his account that time, so they said to reset the password because they feel it's been compromised and then they FREAKING showed a one month view of what the account had done on Facebook, which messages it gave likes, which accounts were unfriended or friended, which groups did he join or leave, everything had been shown a brief review. I think this feaure would be very cool and safe if it could be implemented to discord too.

[typpo]

This discussion board is for API suggestions and feedback, and this post doesn't really fall under API talk, so it's now locked.

To OP's point, as far as I'm aware the only way to extract a token is to compromise the machine with Discord installed. Unfortunately, once an attacker's code is running with user privileges, it follows that they can do anything you can do. Discord continues to take steps to limit the spread of malicious software and to mitigate the impact of stolen tokens.