Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You're storing messages, how are you guaranteeing safety of those messages when it looks like one can seemingly just blast through your API calls to find messages when one isn't even on that server?


A few seconds of research would have revealed that their API requires an authentication token[1]

[1]https://discordapp.com/developers/docs/reference


And a few extra additional seconds of research shows that they don't change the token unless you change your password, as opposed to having the token expire after every session.

Very bad security practice.


A few seconds of pen-testing tells me their token revocation is pretty shoddy. I'm now spying on my fiance's Discord chat.

Bravo to those that downvoted me without even bothering to use their brains (let alone test something.)


The normal token system revokes on password change, if you want to revoke and have extra security we offer MFA login which has unique tokens per login. If security is of importance to you then use MFA.


Why are you not revoking tokens after session end across the board? Token re-use is one of the faster-rising security breach factors now days.


Your first claim seems to be wrong - why wouldn't people downvote it?


As one of the project coders notes - "The normal token system revokes on password change"

Very bad security practice. Token revocation is hard, folks. If you aren't making that token expire every session then you're doing it wrong.

In fact, this was even discussed here on HN 1600+ days ago - http://homakov.blogspot.com/2012/07/saferweb-most-common-oau...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: