[tomalaci]

For those who don't want to piece together things from twitter, the summary is this:

Discord attempts to find nvidia-smi libraries by launching series of powershell scripts. Those scripts are really terrible with a lot of if-else logic based on hardcoded strings and environment variables. They are also apparently fairly slow and scan over 800 directories.

Honestly, this is just yet another example of Discord not really developing their software well security-wise.

Another example bad security example: 2FA implementation is not really that secure since you can continuously ask for backup codes to be sent to your email which you presumably open frequently on the same PC (there is already automated malware that will abuse this and circumvent your 2FA via newly generated backup codes).

Yet another terrible implementation: QR codes. There are rampant phishing attempts that work fairly well because they trick people into accepting invite to some discord server. Once you are in it then you are presented with a "anti-spam/anti-bot" verification check which asks you to scan and confirm a QR code. Little do majority of people know is that it is a login QR code and once you scan that then the hackers will just take over your account in less than a second as all this stuff is easily automated already.

[hi41]

>>automated malware that will abuse this How does this happen? Is it that the malware reads the contents of the email on the pc?

Regarding the QR code vulnerability, how do you know if you are scanning a harmful QR code?

[sidewndr46]

Can you explain more about this QR code scam?

[Sophira]

My understanding (which may be incorrect) is this:

On the login page of the web version of Discord, you have the option to log in in two ways: either by using a username/password combination, or by scanning a QR code with the Discord app on your mobile.

The QR code is linked to your desktop session, and scanning the QR code with a mobile device will cause Discord to authenticate the desktop session with the credentials stored on the mobile.

Thus, if the attackers take one of the QR codes from their own desktop session and give it to you, scanning it will authenticate their desktop session with your credentials.

The QR codes have a rotating code that's meant to prevent old QR codes from being used, but that only means that the attackers just need to re-request the QR code every so often and show the new one.

[numpad0]

If I'm reading GP right: there is a QR code displayed prominently on Discord login screen, which is an image. Opening the link on a phone that is also logged into Discord skips everything and completes login process. That QR code can be sent to a victim under false pretense for account takeover?

[rho138]

Waiting for all of those “security professionals” to flame you that were here a few weeks ago when CS shit the bed lol.