search

lbryio / lbry-desktop

A browser and wallet for LBRY, the decentralized, user-controlled content marketplace.
https://lbry.tech
MIT License
3.56k stars 414 forks source link

security Request: use a better (native) chat service for rewards verification. #3472

Closed Tcll closed 4 years ago

Tcll commented 4 years ago

I would expect a service claiming to be serious about security to not use such an insecure chat method. (yes I'm disappointed)

Discord has a MAJOR issue with hackers gaining access to someone's account via token hacking, and what's worse is Discord staff allow hackers to do so, AND it's illegal to protect yourself from it (read their user guidelines) since they won't protect you from it. token hacking bypasses login and 2FA to gain access to any account you like, including bot accounts.

I will never use Discord again after my account and servers were griefed numerous times trying to resolve the issue. (not to mention my account was later blacklisted for reporting the hackers and trying to secure Discord)

the process of protecting yourself on discord involves creating a self-bot to scan both the IP and machine info (bot must be written in JS) and automatically log your account out if the scanned info doesn't match your known valid info (ie: a hacker has token hacked your account). both the selfbot and the action of using it to protect yourself from hackers are illegal

please stop using Discord as a means of chat verification.

also no I don't have a phone (they're the most insecure device on the planet) and can't verify rewards through that.

for a simple verification alternative, Discord bot moderators have used GitHub issues to verify users. while I'm not in favor of GitHub because of Microsoft owning your stuff, and use GitLab as a more freedom focused alternative, it's at least a better alternative than Discord.

but I recommend building your own verification service. ;) heck emailing your host through encrypted email is better than any 3rd-party service.

tzarebczan commented 4 years ago

Thank you for your concerns. Many users are auto verified, and the majority of others can one phone/credit card verification. We also use our community to help with these, that's why Discord works for us. We can do some one-off ones via hello@lbry.com as well. Send us an email if you require verification.

Tcll commented 4 years ago

alright thank you :)

but yeah just making suggestions for improvement to more secure services it's not hard to host your own secure chat from your own server, but I understand the resources and time needed to do so, and you're already half way there. that's why I suggested github/gitlab or email

thanks again for having email be a thing, I'll get to it later today :)