Arc Raiders was accidentally recording Discord conversations into an unencrypted local game file - AOS for Lemmy.World - A generic Lemmy server for everyone to use.

28730

Arc Raiders was accidentally recording Discord conversations into an unencrypted local game file

14h 50m ago by lemmy.world/u/Th3D3k0y in games from www.tomshardware.com

Remember you can trust Discord with your driver's license for verification, I'm sure they won't accidentally store them in a plain text open API call or anything.

How do you "accidentally" record other people's conversations?

If I'm reading it right, it's kinda like how that one guy "hacked" 70,000 robot vacuums. Bad scope limits.
Game uses token to do the rich presence stuff, and instead of just getting a confirmation back, it gets everything.

So in other words rich presence shares your conversations with game makers

Not necessarily. Developers choose what permissions their authorization token has when they register it with Discord. In this case the game asked for an auth token with all permissions, so the game connects to Discord with the same access levels as your actual login.

Yeah that's what the person before me said. I'm saying that the fact it's possible at all is a horrible violation of privacy

There are legitimate reasons to ask for an "all permissions" token, such as setting up and using a third party client. A game is not one of the things that should be asking for that though.

By being a bad security actor when asking permission and giving permission.

"accidentally"

Lmao. A game accidentally receiving your Discord DMs and credentials if you sent a crash report just because game devs integrated basic Discord functionality is insane. But kind of what you have to expect from Discord and why I’ll never enable Discord integration.

Issue seems to be with Discord's SDK, not Embark. Good on Embark responding quickly by patching something Discord should be responsible for, though.

Well... They quickly patched it when it went public. It was reported to them a month ago.

Based on a post from him he had difficulty actually getting to their bug bounty report system, which is hosted by another company. So sounds like until it was made publicly they hadn’t actually received the report

Fuck Discord

accidentally

accidentally?

Can't wait until Fluxer is ready for full migration from Discord.

I've been using Fluxer recently. It's been pretty nice since they migrated the servers, and as soon as self-hosting and federation gets added (which is top priority according to Herman), I hope people will switch over.

Federation and easy self hosting will be killer for sure. There is already a Discord migration bot and a Discord-Fluxer bridge bot I think. Future is looking hopeful.

Why use fluxer over Matrix?

Matrix still misses a ton of features to be a direct 1:1 Discord replacement. On top of that Fluxer has a familiar UI (it's essentially just a Discord clone) and is simpler in onboarding (Matrix is still techy).

Fluxer is a direct Discord drop-in. Matrix requires a lot of setup and tweaking to get high throughput video. Plus the default server and client are bloated and buggy

Plus the default server and client are bloated and buggy

I'm not sure why people keep repeating this. I've been running both for 6 months without issues (see recent comment about DB maintenance). Maybe it was true before and isn't true anymore.

All I did was take the information and put it in a paper bag and leave it on the side of the road. If a bad person picked up the bag and did bad things with the information, that's not my fault!

It‘s more like some business partner keeps hiding pages of personal information of customers in the work they submit to you. Then someone finds out you have all that information and now it‘s your job to clean up the mess. If you have friends like Discord you don‘t need enemies.

It's a good point around the recent CA age verification laws: Sensitive data (is this user a potential target for predators?) can't be leaked if it was never recorded in the first place.

This shit is why I only use discord on the browser and try not to directly link any accounts anywhere. Anything sniffing around my executables and talking between them is sketchy. Anything asking for access to my other accounts is sketchy

It's more than time to move away from Discord.

So far, on the matrix protocol front, Commet is a good candidate.

On the XMPP protocol front, Movim is... moving forward, developping a clone interface that is promising.

There are others, like Stoat and Fluxxer, but I don't know much about them.

Why commet and not element?

Hi! Because of the UI, which aims to be similar to discord.

To be honest, this is why I immediately disable integrated voice chat for any games that have it and use a third-party voice chat app with end to end encryption for chatting (like Signal).

This didn’t have to do with voice chat, it was the in-game integration with discords SDK that was just supposed to be for including your discord friends in your in game friends list and being able to invite them.