Discord QR Code Phishing

Published May 9, 2022 • more posts

Here's a guide on how to recognize the Discord QR code scam, which is a common vector through which accounts are compromised.

It usually starts with a friend DMing you a server invite unprompted.

initial message

So you join the server, and you're greeted with a request for verification:

verification prompt with qr code

Once you scan the code, that's it—you've handed total access of your account to whoever generated the sign-in link.

Some things to note:

How does it work? §

Some time ago, Discord introduced a feature that enables you to quickly sign in by scanning a QR code from a device where you're already signed in.

signin screen

After scanning the code, you're prompted over whether you want to log in.

phone prompt screen

If you tap "Yes, log me in", this triggers an authenticated request to Discord's servers, which then signs you in wherever the QR code was first generated. As you can see, this system is ripe for abuse when combined with a little bit of social engineering. If you are unlucky enough to sign in without heeding Discord's warning, this is what you're greeted with:

verified

And soon afterwards…

pwned

…you become one with the horde.

How To Protect Yourself §

For more information on attacks of this type, check out OWASP's page on QRLJacking.