Arc Raiders Logged Private Discord DMs And Tokens In Plaintext, Researcher Finds

A serious security issue in Arc Raiders’ Discord integration has been uncovered by computer engineer Timothy D Meadows II, who posted a full write-up of the findings on his personal blog. These issues stem from the fact that the Discord software development kit (SDK) logs an unnecessarily large amount of user data, including direct messages that most users assume will remain private.

One of the more concerning of Meadows’ findings is that a players’ Direct Messages “were captured by the game's Discord SDK gateway connection and written in full to a plaintext log file stored locally on the user's machine.” While this file is stored locally, it’s often transmitted to the developers so that it’s easier to troubleshoot bugs. That means these messages could have been read by anyone on the development team because they were saved in plaintext rather than being encrypted.


This isn’t the only logging snafu, though. The Discord Bearer Token is also present within the same log file, providing anyone who holds this token with significant control over a user’s account. With a Bearer Token it’s possible to read direct messages, access friend lists, servers, account settings, modify voice or discord settings, and remain logged in as that user until a password change occurs.

Meadows says that these issues are present because the “Discord SDK integration requests and maintains a full Discord gateway connection using the user's Bearer token.” This design decision opens up users to far more data collection than needed to deliver basic in-game functionality. A better way forward would be to use another SDK offered by Discord, called the Rich Presence SDK, which offers functionality with a more limited scope on the data it requires from users.

Fortunately, the Arc Raiders development team has fixed this issue, but Meadows recommends that players immediately change their Discord password to ensure that it makes any potentially exposed tokens invalid.