Timothy discovered that Arc Raiders' Discord SDK was using a completely unencrypted bearer token and logs "all events" including any private conversations to the user's local drive without any encryption. A bearer token stores the user's Discord credentials, and anyone who gets this token has full access to the Discord user's account, including private DMs, friends list, and account settings.
This is made worse by the fact that if Arc Raiders crashes and the user sends log files to Embark Studios (the game's development team), the company's employees will have that user's full account credentials and any DMs that were sent to the log files.
Steam client allegedly continues sharing your status with your friends even if you set it ‘Offline,’ report claims
Security researcher says AMD auto-updater downloads software insecurely, enabling remote code execution
User accidentally gains control of over 6,700 robot vacuums while tinkering with their own device
Arc Raider uses the Discord SDK to show your Discord friends list in-game and invite Discord friends to the game. For this limited functionality, Timothy states the game only requires a "limited OAuth scope for game activity display." This would solve the issue and stop Arc Raiders from recording DMs to log files and storing a user's full account credentials to the game's log files as well. Some engineers who've inspected Discord's API say the issue lies solely with Discord, however.
I dug into the ARC Raiders Discord token leak issue; this might not be ARC Raiders or Embark's fault. Discord's new Social SDK has a logging hook you can override, and as far as I can tell Discord is failing to scrub log events of sensitive information.
API: discord.com/developers/d…
Thankfully, Embark Studios has since patched the issue with a hotfix. The game company assured users that no private or personal data was sent outside of gamers' PCs, and the company itself has not reviewed or kept any personal information that might have been sent to them. Embark Studios has completely disabled Discord's SDK and is conducting an audit to ensure that there are no other problems with the SDK.
This isn't the first time Discord has to deal with security issues. The social app was hacked by a ransomware group late last year, demanding $3.5 million from Discord's developers, and allegedly stole 70,000 government ID photos.
Follow Tom's Hardware on Google News , or add us as a preferred source , to get our latest news, analysis, & reviews in your feeds.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/video-games/pc-gaming/SPONSORED_LINK_URL
- https://www.tomshardware.com/video-games/pc-gaming/arc-raiders-was-accidentally-recording-discord-conversations-into-an-unencrypted-local-game-file-vulnerability-in-sdk-could-log-messages-and-credentials-in-plaintext#main
- https://www.tomshardware.com
- China seeks to enhance rare earth advantages, take 'extraordinary measures' to achieve semiconductor breakthroughs — new five-year plan marks doubling down on t
- Nvidia dominates gaming GPU market with 95 percent share as sales of AMD Radeon graphics plummet to a historical low of 5 percent
- AI vibe-coded operating system is so bad it can't even run Doom — Vib-OS can't connect to the internet, browser app is an image viewer [Updated]
- Microsoft confirms next-gen Xbox will play PC games — 'Project Helix' teased as more than just a console
- Leading Inference Providers Cut AI Costs by up to 10x With Open Source Models on NVIDIA Blackwell
Informational only. No financial advice. Do your own research.