Discord OAuth2 Keys
Service Name: Discord
Service Description: Discord is a VoIP and instant messaging social platform that allows users to communicate via voice calls, video calls, text messaging, and media files in private chats or as part of communities called "servers".
Service Address: https://discord.com/
Validation Type: API Auth
IP Allow list: Does not exist at the secret level, but Discord offers IP whitelisting for verified bots and applications.
Secret Access Scope: Discord OAuth2 keys (client ID and client secret) allow applications to authenticate and interact with Discord's API on behalf of users, accessing user data and performing actions based on granted permissions.
Secret Revokement URL: https://discord.com/developers/applications
Secret Example: - Client ID: 123456789012345678 - Client Secret: abcDEFghiJKLmnoPQRstUVWxyz_-1234567890
Suspicious Activity Investigation Instructions:
- Review the Discord Developer Portal for unusual OAuth2 redirects or changes to your application settings.
- Check application logs for unexpected authentication attempts or API calls.
- Monitor for unauthorized access to user data or actions performed on behalf of users.
- Review Discord's audit logs for any suspicious activities related to your application.
- Check for unexpected increases in API usage or rate limit errors.
Mitigation Instructions:
- Log into the Discord Developer Portal at https://discord.com/developers/applications.
- Select the compromised application.
- Navigate to the "OAuth2" section.
- Click "Reset Secret" to invalidate the current client secret and generate a new one.
- Update the client secret in all legitimate application instances.
- Review and update the application's redirect URIs to ensure they only point to trusted domains.
- Consider implementing additional security measures like state parameters and PKCE for OAuth flows.
- Review and potentially reduce the OAuth2 scopes requested by your application.