PCGuru.Sg

Don't Trust Unverified Steam Links in Discord Profiles

There was recently an exploit in Discord, which could be used to connect anyone’s Steam account to your own Discord profile. Intuitively, since you needed to be logged into Steam for it to work, you might expect the account connection is verified and that nobody but you can list your Steam ID in their Discord profile. In truth, the Discord client attempted to find your Steam ID from the running Steam process, then linked it to your account with absolutely no verification, and that was unfortunately quite easy to spoof. Additionally, this information was used for friend suggestions, so impostors would end up getting suggested to whomever the victim had in their Steam friend list, posing a real risk of social engineering by impersonating trusted friends.

We contacted Discord’s security team about this. They resolved it by requiring OpenID (redirect to Steam login page) to connect any new Steam accounts, as well as to toggle display for any existing Steam accounts. Once you’ve logged in through Steam, your Steam name will have a verified stamp next to it, while any other connected profiles will not have it. If you connected your Steam account through Discord prior to June 1st, you can add the “verified” stamp by going into your settings, then under Connections, toggle the Display on profile setting for your Steam account. In order to display it again, you’ll be prompted to log in through Steam, after which your connection will now display as verified.

If you use Discord for anything related to Steam, especially trading, please do NOT use Steam links in Discord profiles as a way to confirm someone’s identity without first checking for a verified stamp. Even if they were suggested by Discord, they may be an impostor who wrongly linked your friend’s Steam account and enabled the “sync friends to Discord” feature. Any Steam accounts connected after June 1st should have required a Steam login, should already have the verified stamp, and can be considered safe. Any existing Steam connections added through the old (and now disabled) method will be grandfathered, and still display on their respective Discord profiles, but without the “verified” stamp.

Discord’s security team believes that it’s your responsibility to differentiate verified account connections (as was always the case with Reddit, Twitch, etc) with the stamp from those which Discord chooses not to verify, and if you’re scammed by an impostor then it’s your own fault for not checking that it’s “verified”. I could not find any documentation on their website explaining their use of the “verified” stamp, and the Discord developers have not returned my email asking for reference material I can cite, so I’m posting a PSA here.

Disclaimer: Although we exchanged multipe emails with Discord’s security team before this was fixed, and were immediately notified when changes were made, I can’t take credit for either the discovery (partial credit goes to r/Steam mods), or for ultimately persuading Discord’s security team to fix this. Other unnamed individuals who we spoke with at the time have concurrently played an even bigger role than us in getting this fixed. Those people know who they are, and in reading this I hope they see how much the Steam community appreciates what they’ve done. We’d would also like to thank the Discord developers for adding OpenID authentication for Steam connections in Discord.

1 Like

Lame, why would discord even do such a thing.