The popular gaming messenger service has cautioned its users about the risk of pwned accounts.
Discord has altered parts of its quick response code-based login system following reports of a QR code login scam. A number of the service’s users have warned that the previous version had suffered scammer abuse.
The old system reportedly was being used by scammers attempting to gain user account access.
Discord implemented changes to overcome prior vulnerabilities to the feature that was first launched in December. It didn’t take long before the strategy fell victim to attempts at a QR code login scam. This abused the feature meant to make it possible for users to use their phones to log into the desktop web client through a simple on-screen quick response code scan.
Fraudsters reportedly started attempting to exploit the system as soon as the feature was launched. They were working to be able to access user accounts. According to Discord server based discussions and posts on social media, scammers have been sharing QR codes with a promise for free Nitro. Nitro is the Discord subscription package providing a number of benefits. The codes have also been posted with a promise of other types of free giveaway.
Scanning into part of the QR code login scam inadvertently provides fraudsters with account access.
“The login-by-QR method works without any username/password and 2FA, and while it makes Discord way more convenient to log into everywhere, it unfortunately is being exploited in the form of fake Nitro gifts (and possibly other forms),” posted one Discord user as cited by PortSwigger.
As of the writing of this article, there has yet to be a consensus regarding the potential severity of the access granted by way of this QR code login scam. Primarily, it depends on what would be available to an attacker with access to their accounts. For some, this would mean that the situation would merely bring frustration. For others, it would open them up to the threat of being effectively impersonated online.
Following the initial release of the proof of concept to demonstrate how easy it would be to implement this type of QR code login scam, Discord updated the feature in order to stop attackers from using it to gain access to a user’s name, address and other data.