A popular game read your messages on Discord. Even the private ones
Serious security flaw was detected in the package Discord SDK used by some computer games. He informed about it Timothy Meadowswho discovered that while analyzing one of the productions users’ private messages may be saved in local log files without any encryption. The problem concerned, among others, games ARC Raidersbut the developers quickly reacted and published a fix.
The vulnerability may lie with Discord and not with the game itself
Meadows described the situation on his blog. His findings showed that the Discord SDK implementation in ARC Raiders used an insecure bearer authorization token. This type of token stores Discord user login details. If someone gains access to it, they can take full control of the account, including access to private messages, friends list and profile settings.
ARC Raiders uses Discord integration mainly to display a list of friends in the game and allow you to quickly invite them to play together. According to Meadows, a much more limited scope of OAuth permissions would be sufficient for such functionality. However, some engineers analyzing Discord’s API suggest that the source of the problem may lie with Discord itself, and not solely with the in-game implementation.
Embark Studios announced that the vulnerability has already been fixed via hotfix. Studio ensures that no users’ private data has been transferred beyond their computers, a the company did not review or store personal information contained in the logs. Additionally, the developers decided to completely disable integration with Discord SDK irstarted a security auditwhich is to check whether similar problems occur in other elements of the software.
Discord is clearly bad at data security
This isn’t the first time Discord has given a hard time. At the end of last year, the platform fell victim to an attack by a ransomware group that demanded a ransom of $3.5 million from the website’s creators. According to reports, the attackers also stole approximately 70,000 photos of identity documents. This raises considerable concerns regarding the upcoming mandatory age verification.
