Discord SDK Vulnerability Exposed Private Messages in Arc Raiders Game Logs

A serious security vulnerability has been discovered in Discord's SDK that allowed Arc Raiders to store Discord direct messages and user credentials in unencrypted local game log files, potentially exposing sensitive user data to anyone with access to the files.

(Image credit: Steam)

System engineer Timothy Meadows revealed the incident in a detailed blog post, explaining how Arc Raiders was storing Discord DMs between players in plaintext to a local log file on users' computers. The vulnerability stemmed from the game's use of Discord's SDK, which was storing a completely unencrypted bearer token and logging "all events" including private conversations to the user's local drive without any encryption.

The bearer token is particularly concerning because it stores the user's Discord credentials, and anyone who obtains this token gains full access to the Discord user's account, including private DMs, friends list, and account settings. This creates a significant security risk, especially considering that if Arc Raiders crashes and users send log files to Embark Studios (the game's development team), the company's employees would have access to that user's full account credentials and any DMs that were sent to the log files.

Arc Raiders uses the Discord SDK primarily to show users' Discord friends list in-game and invite Discord friends to play. For this limited functionality, Timothy Meadows noted that the game only requires a "limited OAuth scope for game activity display." This more restricted approach would have solved the issue by preventing Arc Raiders from recording DMs to log files and storing users' full account credentials in the game's log files.

The security flaw has sparked debate about where the responsibility lies. Some engineers who inspected Discord's API argue that the issue originates with Discord itself rather than with Arc Raiders or Embark Studios. One engineer stated: "I dug into the ARC Raiders Discord token leak issue; this might not be ARC Raiders or Embark's fault. Discord's new Social SDK has a logging hook you can override, and as far as I can tell Discord is failing to scrub log events of sensitive information."

Thankfully, Embark Studios has since addressed the vulnerability with a hotfix. The game company has assured users that no private or personal data was sent outside of gamers' PCs, and the company itself has not reviewed or kept any personal information that might have been sent to them. As a precautionary measure, Embark Studios has completely disabled Discord's SDK and is conducting a thorough audit to ensure there are no other problems with the SDK.

This incident is not the first security challenge Discord has faced. The social platform was targeted by a ransomware group late last year, with attackers demanding $3.5 million from Discord's developers and allegedly stealing 70,000 government ID photos. The recurrence of security issues raises questions about the platform's security practices and the potential risks for developers integrating Discord's SDK into their applications.

The vulnerability highlights the importance of proper security measures when handling user credentials and private communications in gaming applications. Developers must carefully consider the scope of permissions they request and implement appropriate encryption for any sensitive data stored locally. For users, this incident serves as a reminder to be cautious about the permissions granted to games and applications, particularly those that integrate with social platforms like Discord.

As the gaming industry continues to integrate social features and cross-platform functionality, the security implications of these integrations become increasingly critical. This incident with Arc Raiders demonstrates how a seemingly minor feature like displaying a friends list can lead to significant security vulnerabilities if not implemented with proper safeguards. The swift response from Embark Studios in patching the issue and conducting a security audit is commendable, but it also underscores the need for more rigorous security testing and validation of third-party SDKs before they are integrated into production applications.