Discord security and privacy issues in 2021


Discord is the go-to app for communication using voice, video, text, or a mix of all three. It's especially popular in the gaming community. Players use it to discuss Counter-Strike strategies or coordinate an Apex Legends attack on another squad – which may be why over 250 million people have joined this (Voice Over IP) VOIP service.

However, the service is now under scrutiny. Not only because of numerous security holes but things so extreme, they even attracted the FBI investigation. This article will give you all that you need to know about staying private when using Discord regarding all possible threats to your privacy and security.

Quick guide on how to browse Discord privately

ADVERTISEMENT
  1. Pick a reputable VPN service provider. We recommend NordVPN due to its exceptional security.
  2. Register to create an account and pay for your subscription
  3. Install NordVPN app, and log in using your credentials
  4. When you connect to their servers, your traffic will be encrypted, providing a much safer browsing experience.

Discord privacy issues

Since 2015 when Discord was founded, a few stories have emerged about privacy that users should be aware of. They probably won't stop you from using Discord to play your favorite games online, but they may encourage you to keep your chats more private.

In late 2017, as Discord's user base reached 100 million, the gaming press was suddenly filled with talk about the platform's security issues.

1. Poor product management

Services that you're using for your gaming communication should adhere to the same quality standards that we apply to other services. Especially considering that you're giving permission for microphone, screen share, and webcam. However, Discord's approach was somewhat clumsy when it came to looking after their own product. Here are a few examples:

ADVERTISEMENT

● Outages resulting in hours of downtime despite promises for a fix. Since then, there were no comments on what was implemented and what's on hold.

● Several months ago, Discord deleted bug report boards with several years worth of information on issue reports. Some of the reported issues still persist to this day but now have no public record of being published.

Refusing user requests to fix the UI, then banning users that customize their UI with addons because it's against their terms of service

This is just the tip of the iceberg. It's impossible to download Discord's source code, so it's not clear how deep this rabbit hole goes when it comes to the actual software. However, there are many, many exploits.

2. Could it be that Discord is a piece of spyware?

Some of Discord’s privacy concerns relate to the way they collect and use data. According to the Spyware Watchdog, the threat level, in this case, is “extremely high” because everything users say or write passes through company servers.

The main way Discord is collecting information is through /api/track and /api/science. Both application programming interfaces are identical and accept the same input. If you're using a browser with tools like uBlock Origin, /api/track will be blocked, however /api/science will bypass it with ease.

Most importantly, the client sends data through these routes without regard for whether the user has given permission or not. Privacy & Safety policy explicitly states that you can agree with the use of your collected data and not whether it's being collected.

Discord's response is that they collect data in case the User will allow usage down the line. Well, they already have your data, and it's sitting on their servers. Are they being privacy-conscious enough to wait for your permission to use it? Extremely unlikely.

3. Trustworthiness of the service

ADVERTISEMENT

There are numerous reports of Discord going so far as to ban users for joking about being underage. This happens because being under 13 violates Discord terms of service, so getting a ban on Discord lifted will require you to provide an image of your passport with your username written on a piece of paper. Seems rather extreme, but okay - they hold their own staff to the same high standards, presumably… right?

In fact, not at all. There were numerous reports of administrative abuse coming from Discord employees. For example, there are reports of staff snatching vanity URLs for their own channels, skipping official procedures for doing so. This doesn't paint Discord as a trustworthy organization in the slightest.

In 2018, law enforcement wanted to use evidence from Discord chat rooms against one of the organizers of the "Unite the Right" protests in Charlottesville, 2017, which left a protester dead.

It turned out that neo-Nazis had been using Discord as an organizing hub for their activities. Discord representatives denied knowing anything about that. Afterward, a legal tug of war ensued to determine if anonymous Discord users could be identified.

In August 2018, a judge ruled that the identification of users and their discussions was admissible, potentially compromising future private chats – regardless of whether far-right figures are involved.

5. Things for ROBLOX players to worry about

Some security experts noted that the Discord API could be used to create apps that harvest data of ROBLOX players (a popular title on Discord at the time). By inserting so-called webhooks, cybercriminals could "fish" out ROBLOX sign-in codes and use them to extract in-game currency.

While specifically tied to ROBLOX, such a method could be used for wider malware attacks across other Discord servers – raising the potential for more severe security scandals.

6. Malware hosting and distribution service

ADVERTISEMENT

Discord's safety could be described as rebranded LimeWire: it won't infect your device on its own, but it will provide grounds for malware to spread if you're not careful what you click on. Remote Access Trojan (RAT) is the most common type of malware distributed via malicious links. When you open a link, RATs are injected into your device, giving hackers administrative rights to your device. This is horrendous for your privacy. The most recent of them is AnarchyGrabber3, still an active exploit.

Discord also has pretty loose regulation of files distributed within their ecosystem. It's possible to upload a file to some Discord server, and even non-registered users will be able to download it. Even if the hacker decided to delete their account, the data will remain in their servers and will be downloadable.

Users may also upload a file to Discord and then use its link to share it externally. Even users with no Discord account can download it. Moreover, even if someone deletes the file from Discord or removed their account, the platform still stores it in its content delivery network. So no one can trace the original uploader of the file with just a Discord download URL.

7. Discord permissions

When we talk about Discord permissions, we are talking about two different things: app permissions and role permissions within the servers or specific channels. What is common between them is that both could be potentially dangerous for your privacy.

Regarding app permissions, we already discussed how turning off Data Collection prevents your data from being used rather than collected. In other parts, the app itself integrates systemwide push-to-talk to work. The catch is, it will require to receive keystrokes from any application, not just Discord. Considering the sorry state Discord privacy is in, this should never be allowed if you value your privacy.

The situation isn't any better when we're talking about specific channel permissions. Users can overwrite moderator or admin hierarchy and change nicknames or Gamertags. If you have a role that allows managing permissions, you won't be able to give permissions to yourself, but you'll be able to provide @everyone permissions, effectively giving yourself permissions, and the list goes on.

Does the Discord privacy policy give any reason for concern?

With the privacy and data collection subjects catching more attention of late, Discord has revised its privacy policy, and has become slightly less opaque about the way it handles user data. Here are four key points:

  1. Discord records the following information: "username, email address, and any messages, images, transient VOIP data (to enable communication delivery only) or other content you send via the chat feature."
  2. Whenever you use Discord, your IP address and activity are logged from start to finish.
  3. Aggregated data is regularly sold on to third parties or used internally for "research" purposes.
  4. Discord collects information about your contacts if you link social media accounts.
ADVERTISEMENT

None of that is very reassuring. However, users can manage the amount of data they share by changing their Discord privacy settings. As the privacy policy states, "We may transfer your information with your consent." Many users simply click through permissions and T&Cs, meaning they willingly share a huge amount of data about themselves and their acquaintances.

Managing your Discord privacy settings

The first step is getting your Discord settings right.

To do so, head to the Privacy Settings menu – you'll find it by clicking the down arrow located next to the name of your current server.

This will allow you to manage things like friend requests and blocks. But what it won't do is ensure minimal data collection, including keeping your messages private.

Still, it's like using Facebook and expecting that ticking some of the boxes will allow you to retain a reasonable amount of privacy. In Discord's case, your privacy is on the line from the moment you decide to sign up for this service. If you must use it for communication purposes, make sure not to click on any suspicious links. Arguably, the browser version is more secure as it doesn't create entries in your system registry.

Closing thoughts

Discord are riding the wave of popularity: their product has many privacy issues, however, the lack of competition in their niche has made the company very successful.

Incidentally, popularity is Discord's main selling point. It's much easier to opt-in for a service that everyone is using rather than carve a path on some niche platform, in which it could be challenging to find fellow gamers. The main downside is that this creates perfect conditions and further incentivizes bad practices that range from slow patching of security holes, to questionable community management.

If you must use Discord, use it with caution. Keep in mind that you'll be giving away a lot of your private data and drawing a target on your back for all willing hackers. Whether that's worth the price is for you to decide.

ADVERTISEMENT

More from CyberNews


ADVERTISEMENT

Comments

Stefan Wimble
prefix 3 years ago
This is a topic that’s near to my heart… Best wishes!
Exactly where are your contact details though?
Justinas Mazūra
prefix 3 years ago
If you want to get in touch with us, here you can find the contact form.
Voltairinelololol
prefix 4 years ago
People sign up for things like Discord with their real names & real email accounts? FFS, why would anyone do that?? You can create a free email account on gmail, hotmail, outlook live, Yahoo… Name it whatever you want (not your real name, obviously!!)… Then use it to sign up for FB, Discord, etc. Use them from a VPN, and they don’t know your real IP address, either. Never include your real address or phone number in ANY signup. As a girl or woman, this is THE ONLY way to safely use most of this social media crap and, frankly, the whole of the Internet. I knew this 25+ years ago when the Internet was just taking off!… But I guess people got dumber since then. A LOT dumber.
monkaHmm
prefix 3 years ago
This is some solidly outdated advice. If your entire perception of the internet is “Everyone’s out to get me! I need to hide my identity from anyone and everyone!” then I’m sorry that you’re stuck in this fear-mongering stage that the rest of the world has moved on from. Are there bad actors online, sure, just like there are everywhere else. Instead of actually learning how to be a global citizen online, you’ve chosen to deem the whole thing the devil and declare yourself above it
MehYeahRight
prefix 3 years ago
So how did discord pay you to say that?

And if you don’t work for them… you will find out eventually.. just like everyone else how stupid being careless with your data will do.
imajeff
prefix 3 years ago
This is the “nobody would ever do that” mentality that gets a lot of people in trouble when the IRS tells them we accidentally gave you too much so you must return it in gift cards
whyIsItSoEasyToJudgeOthers
prefix 4 years ago
thats what happens when there’s no funding for schools. Humans aren’t just born with this information they have to learn it.
Globalism is for masochists
prefix 4 years ago
Very good heads up, thank you very much.
I’ve never used it. I was now entertainning the idea a bit only because I wanted to follow the news on something. After reading this, nevermind.
Noneofyourfuckingbusiness
prefix 4 years ago
I was with you until the far right thing, bull shit propaganda.
Leave a Reply

Your email address will not be published. Required fields are markedmarked