Time to give everyone another heads up on site wide issues involving Discord and security. Discord recently released an easier way to login with your account by allowing users to scan a QR code to get into your account. This might seem very convenient for most users, but it has its flaws unfortunately. Bad actors are currently going around doing social engineering telling users that “they were gifted Discord Nitro” (View screenshot down below for an example of what it looks like.)
Once scanned the bad actor will be able to see your account picture on their Discord client (Which you can view a screenshot of what it will look like on the attacker’s side.
You will then see a notice come up on your phone that says “Almost there! You’ve got the key to log in on this computer. Please confirm that the avatar shown is you” and then gives you an options like “IT’S ME LET ME IN” or “cancel” (You can see the example in the screenshot below)
Once you hit that “IT’S ME LET ME IN” button the attackers now have access to your account and can Hijack your account regardless of you having 2FA on or not which is the scary thing.
How Do I Protect Myself?
The best way to protect yourself is not to scan any QR codes that anyone sends you through DMS on Discord. I would also block that person and report that person to Discord’s Trust and Safety Team ASAP! I also suggest going to each Discord server that your in and and left click and go to Privacy Settings and turn off your DMs for that server, due keep in mind if another user is in another server your in and your DMs are open for that server they could still DM you so I would suggest turning off your DMs for that server as well.
Discord Responds to QR Code Concerns
On January 12th a Discord user by the name of u/Mayel420 made a post on Reddit asking if the QR code scheme was real in which the post got a lot of attention especially from the Discord team. The Discord team goes on to say that they do agree and there should be more clear verbiage and a warning could be in place which I feel could help a little bit for users to be mindful. (you can see full link to comment down below.)
Discord also goes on to say that they made the changes to how long a QR code is valid for. They state that when they first launched the feature, it would take 10 minutes for the QR code to go invalid, but they since reversed it and made it 2 minutes. (You can find that comment down below)
Since then Discord has made the changes to show a warning to users that says “Only scan QR codes taken directly from your browser. Never use a code sent to you by another user.” (you can view that message in the screenshot down below)
My Final thoughts!
I feel Discord should really re-evaluate this new feature and collect feedback on it. This is truly something very scary especially for people who have 2FA set up on their account and with just a scan of a QR code someone can just gain access to an account just like that without authentication via authy or sending a text message code on your phone. I hope Discord will make a comment on this and keep everyone updated about the ongoing issue. Once they make a comment I will update this blog post.