Okay apparently it was a very good Idea to remove the Discord Login entirely. Discord just added a QR Code scan Feature that enables people to bypass 2FA to log into someones Account without the victim noticing that the QR Code they scanned did exactly that. This has caused major Security Issues on all Sites that have Discord Login as a Feature.
Here is how it works, and yes it is THAT stupid:
- Hacker creates QR Code on his Computer using Discords new Feature.
- Hacker sends the QR Code (which expires after 10 minutes) to other Discord Users.
- Naive Users scan the QR Code to see “this goes to the real Discord Website”.
- User logs into Discord thinking “well it is the actual real site and there is no Warnings or anything”.
- Hackers Computer is now logged into Discord thanks to you logging in for their Computer without you even knowing that you have let them log in!
- Hacker can lock you out of your Account and also use it to log into other Websites thanks to this!
This completely bypasses 2 Factor Auth and is absolutely easy to do to someone.
I knew Discord was bad, but I did not think it was THAT bad.
Edit: Do note that I originally removed that Login Method because Discords Website was broken at the time I wanted to set it up again, after we migrated Domains. Also I already never liked Discord because of how broken and proprietary it is, so I am biased too.