I think I understand how the Discord QR exploit works now, though it took some thinking.
Should I write up an explanation?
@ari I don't think OAuth plays a role, though the mechanism may be similar.
Device A, not logged in, generates QR code (Discord now does this automatically on the login screen)
User B, logged in to Discord on device B, scans QR code using Discord on B. Discord asks B to confirm that they want to authorize device A. If user B consents, device A is immediately logged in to user B's account.
The QR code is basically a unique device identifier. By scanning the code and pressing a button, user B is saying "give whoever generated this code complete and immediate access to my account, without requiring ANY OTHER EVIDENCE of authorization".
I think the main problem here is lack of human engineering: the user is being asked to authorize a Big Thing, but with very few safeguards to ensure that this is what they really meant to do.
@ari Worse, I don't see anywhere that there's a list of authorized devices so you can revoke access -- or even any way to disable the feature.
This feature should be disabled by default, since most people don't need it and aren't aware of the risk.
The enabling process should include a warning message saying something like "Enabling this feature will allow anyone to request instant login to your account, with no additional security, just by presenting you with a QR code. Use with extreme caution."
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!