Careful with Your Discord Server – It May Not Be as Secure as You Think
Origin Protocol’s co-founder Josh Fraser pointed out some of the popular platform’s vulnerabilities
Ever since its founding in 2015 as a tool for connecting and communicating with other gamers, Discord has very quickly established itself as the de facto community communications platform of choice for blockchain- and crypto-based projects and businesses of every conceivable type. From exclusive, invite-only Discord servers for NFT collections to airdrop and insider news communities, countless blockchain, NFT, crypto, DeFi, and Web3 projects use Discord as their go-to community engagement and marketing platform.
Unfortunately, many server security issues, hacks, compromised accounts, and other privacy problems on Discord have plagued the platform. Josh Fraser, a co-founder of Origin Protocol, recently highlighted many of these issues in a Twitter thread that he posted to educate the general public about the potential hazards of using Discord.
To begin, Fraser says that unauthorized third parties can gather many insights into the internal workings of different projects on Discord because the Discord API leaks the name, description, members list, and activity data for every private channel on every server. Since many crypto projects use private channels on Discord for many different needs, such as collaborating on as yet announced partnerships, product launches, exchange listings, and more, it is incorrect for anyone to assume that these channels are truly as private as their users assume.
To illustrate his point, Fraser explains how private servers for Binance staff, an OpenSea server for Solana launch partners, and a Compound Finance channel for Coinbase, were all found to not be private despite Discord signaling via a lock icon that they were.
What are some of the dangers of these issues? For starters, Discord’s security breaches range from leaking private server information, private user data (which can be used for doxing), and activity data (which can indicate an upcoming listing or release), to crypto projects using their multisig wallet addresses as the description for their private channels, which can potentially flag otherwise unremarkable data to malicious eavesdroppers. These are in addition to Discord effectively compromising the trust of the public (and its users) by not securing data on servers that should be private.
While these issues were brought by Fraser to the Discord team, it does not seem likely that they will be addressed anytime soon. It is in the best interest of the public to be aware of these potential security issues and to take whatever action they deem appropriate to protect their privacy and data.