-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Let bots and OAuth2 apps read user bios and banners #3095
Comments
Additional use case for Moderation Bios have full markdown, meaning users can put links in them. This makes them an escalated moderation concern. There are many automoderation bots that already scan user presences for malicious content, slurs, spam, advertising etc. The moderation concerns for presences are doubled for bios as they always display regardless of presence, and have full markdown allowing someone to link to grabify (for example) in their bio. Malicious bios are more akin to names in that they're a TnS concern moreso than a general moderation concern but the autmoderation concerns are very much still present for bios, and allowing bots to access this content will also allow for better identification and reporting of malign users abusing bios. The same holds true for graphic/TOS breaking content in banners, such as nudity or gore. There are bots that can detect such things, and do so for profile pictures and uploads already. Additional alternatives The data in a bio can be sensetive, it may be apt to gate access behind a priv. intent, as was done with presences & members. I can see cases for it being tied to either or both current priv. intents, though I feel presences would be more apt. This would strike a good middleground between user privacy and autmoderation. Additionally, for Oauth, making a new scope for Additional details It's worth noting that flags were previously Oauth only data despite being mostly harmless data and having genuine use cases in server gating bots. I can very much see the same case here where the banner and bio info is mostly harmless and bots having access won't have any real drawbacks, rather it would actually aid in automoderation and in turn in TnS efforts to discover bad actors via reporting. |
If this is added it would make sense that its behind a privileged intent? |
We'll serialize the banner image hash on the user object so that bots can start passively getting that field. As for bios, we absolutely hear the moderation use cases, but we're not comfortable making those accessible right now. The behavior that we (and you) see, outside of potential moderation issues, is people putting really sensitive, personal information in their bios. We aren't comfortable with that data being scraped. Privileged intents are great, but the authorization model is still a server owner accepting on behalf of everyone in the server. Presence information that shows what you're doing or short-lived custom statuses just isn't at the same level of a field directly asking "Please tell me personal information about yourself". As for an OAuth scope, that could be a way to do it, but it wouldn't really solve your moderation use case, the case for things like duplicating bios on other sites isn't something we need to support. |
You can send a |
|
Honestly, this only prevents legitimate uses out while bad actors can still access that freely. We can see that just a couple messages above on what kyeondiscord just posted. Userbots are already operating as outlaws so they don't really have to comply with privacy or anything. Actual bots signed an agreement and have to keep compliant. Profile scraping for republishing is mostly made by selfbots that sneak into public servers (and we probably already have some out there scraping all that somewhere), rarely by bots that are actively added to the server, let alone ones that proved worthy of privileged intents. |
Malicious users circumventing any security in place does not mean that it should be made easy for them and leave the door wide open for more, less intelligent malicious users. I can definetly see why you wouldn't want profile text to be scraped, I would love to use it as well, but sadly we live in a world where security measures like this are necessary. |
I absolutely agree, things should definitely not be easier which is why it is nice to see that's not available for bots out of the box. the only problem is, as you mentioned:
gating that behind both verification AND privileged intents would be good enough to weed out the "less intelligent". I personally don't have any use for it as a developer. But on a user's perspective moderating these manually can be pretty tedious, and frustrating, hard to just ignore them especially when malicious clickable links can be there. |
Discord should prompt a message to not put out sensitive bio and stuff like that to prevent this in the first place however there are many reasons discord does or doesn't do stuff so I'll respect their decisions. |
in my opinion bots just shouldnt have access to the about me. It literally says About ME. so while some poeple feel like filling it with eggplant or amogus emojis I think the majority of users uses it for what its made for: giving a bit of info about yourself like pronouns, age, preffered language. And while im ok with you guys seeing said info, Im not ok with a random bot being able to show said info to thousands of unknown people via a 'userinfo id' command just bc I share a guild with that bot. saying they should warn us to not put info about us in the about me field seems like a joke to me. I just want new potential friends to know what they're gonna talk with but not everyone that somehow has a bot that shares a guild with me. |
coughs I think we can get about me/status of user without the need to share guilds and bots with them. By just getting an id of a user, we can make a request to get their tag (username#tag) and use it to make a friend request (and while the request is not being accepted, we can click pending requests and click on their profile to see their status and about me. So how is security being maintained here? If about me was meant to be so much more private, can't we ask users to keep nothing sensitive in status, and put them all in about me, and allow bots to get status? |
I - to be honest - don't really understand the problem with bots accessing bios. |
this is not true.
this is also not true. you cannot see a user's presence (status etc), bio, banner (for now), or nitro/boost status if you have no mutual servers and are not friends. even if you send the user a friend request. if you don't believe me, try it and see (which you probably should have done before stating your assumptions as definite) |
@advaith1 Alright, my mistake. However, once you join a single discord server, you always have to expect that strangers can join said server and will therefore be able to see your data. And I don't think that bots should be able to see everyone's bio either, just of the ones they share a server with. Which everyone sharing a server with them can definitely see. |
Why don't you just add an option if you want to expose your bio to the API? Something in settings, therefore, if someone theoretically puts something "sensitive" on their bio they can turn it off. |
@Milo123459 I think the primary problem is that it would just confuse most users since the average Discord User usually has no clue what an API is. |
What about something simpler, "Allow bots to see your bio"? |
Sounds like a fair solution for everyone. +1 |
Spammers would just turn that off and it would defeat the moderation reasons to have that enabled. Sounds like a good idea, but I don't see why it would help bots to see normal person bios but not the spammer bios. |
Also, there's a new feature: per server bio |
Bots aren't getting access to users' global bios, see Mason's comment in this thread The feature request for per-server banners and bios is |
What about a user profile intent and/or oauth2 scope? |
Any updates? |
Discord should now be able to allow us to moderate this via their "AutoMod" bot/service ? Btw on an alternative note, can't we tell users to not provide sensitive information in their bio when they edit it? Internet itself is not a safe place to just give out any private information... |
...except for where it might be necessary for a bot or other application to function. Honestly, how hard could it be to add an intent for this? |
It's not hard in a technical way, it's just a privacy concern. Just making something an intent doesn't stop any malicious use. |
|
I'm removing myself from this thread because I think the engineering staff have made it clear this isn't a feature they want to implement but I'll add this: We now have the I stand by the moderation use cases I mentioned before. Considering how prolific scam bots have gotten on the platform, reading user bios provides an integral data point to smart anti-scam bots built to counter these scam bots. This is an incredibly specific use case and I'm only even aware of 2 bots that have any systems robust enough to detect scambots by profile data. For this use case to actually be useful it'll have to be an intent, and an entire intent for a handful of bots just doesn't make sense. Manual moderation of bios hasn't proven that difficult, clicking a user once is all it takes. I've also only found a handful of cases where a bio has anything in it that violates TOS, it's markedly more common in statuses (perhaps because they're easy to change to cover tracks). AutoMod rules being applicable to bios/names/statuses is the ideal solution here, keeps data in-house, and if bots are allowed to post to the AutoMod endpoints we can even update these rules to adapt to new threats automatically. Also intents don't really stop misuse in practice. I've seen bots claim to have moderation features for the messages scope only to violate dev TOS by providing targeted insights for users. Oauth is even worse with the email scope recently being used by MEE6 to violate GDPR and the guilds.join scope abused daily to mass join hundreds of thousands of users to guilds for money. Adding bios to the mix is gonna make more of a nightmare for developer enforcement for a handful of use cases. While it's nice to always assume good faith, if we assume bad faith we can quickly imagine a scenario where a very large bot is able to create facebook level inferred connections on users. Finally do you really want to get an event every single time a user updates their bio or per server bio? The sheer volume of events from the presence intent is already so large it outweighs pretty much every other intent. Adding on bios, you're getting so many more events, so much more event processing, only for maybe 5% of those bios to actually have malicious content (and that's being very generous). tl;dr I think it would be nice but it's quite abusable, staff don't seem to want to implement it and a dead horse I beateth not. |
It's not abusable. This is data available to all users. |
Currently experiencing 2-3 bots per week accessing a Discord I moderate. They always have an about me section mentioning DMs for art commissions. It would have been amazing to do some warning to my moderators for certain keywords in the their about me, but I guess that won't be happening. This makes moderation harder. Please reconsider this decision or stop the bots in the first place. Unless Discord creates the appropriate tools to fix this, we should at least be able to make our own tools to deal with bots. |
Running a 50k+ member server, and every week we have users DM our members regarding gfx work. Like @Woovie mentions having the ability to trigger bot alerts on keywords in bio would negate this problem by ALOT since moderators will catch way more of them. Until the bots ofc change their tactic. |
Might I add: not allowing bots to access the endpoint fails to stop malicious users from accessing it, because, not being afraid of breaking the ToS, they will just create a bunch of alts and selfbot the endpoint. Also, if you are someone that actually uses discord privately, and only ever joins private servers with their IRL friends, then chances are that message history is far more sensitive than the about me section. If the discord team doesn't want to let bots access the endpoint without users consenting, at least make an 'identify.aboutme' OAuth scope, like so: |
AutoMod will have a way to block people from chatting based on their bio, but it hasn't been rolled out to everyone yet. Kinda sucks that you're forced to use proprietary methods to moderate your server, but oh well, it's something. |
Been writing a bot for a server that requires new member verification/screening and one of the key elements to allowing a user to pass into the rest of the server is bio contents. |
This is an absolute must IMO. Once your server gets into the thousands of members, you require extra insight, and the about me has been a goldmine in my experience. Being able to access data that is otherwise publicly available should be the default. I'm 100% okay with making it a privileged intent, but we need access to it. To those who say "but my privacy!", I can only say: DON'T POST PRIVATE STUFF IN PUBLIC PLACES! |
Then it should be limited to discoverable guilds only if you're going to have that mentality about it. |
Then, by your logic, message intent should also be limited to discoverable guilds. I'd argue limiting it to discoverable guilds is still better than not having the ability to view "about me"s at all. If this is the decision Discord makes, I won't be happy, but it's better than nothing. |
So it's fine for a bot to log all available user data (mostly their UID) and then proceed to track said user across any guild the bot is in, logging every single message that they post. But a bot reading the "about me" part of a users public profile is a step too far? |
Plus, if a user wanted to abuse this, they'd just create a user account. That's also easier as they don't need to be "invited" to public servers. |
This comment was marked as off-topic.
This comment was marked as off-topic.
I see a potential solution here. Why don't we ask the user if they want to allow their bio to be scraped. If they don't allow it, we just hide their bio from all server members. It solves the moderation issue. |
This seems like extra work. Maybe an update to ToS or Privacy Policy saying that adding a bio gives consent to scraping? Or maybe a label under the edit bio text box? |
Boo, I am building an anti-spam bot and I came here to see how my bot can read the "about me" and kick or warn the user if it contains spam things like "Official Support" or "Official Admin" etc.. we have lots of fake support people trying to phish for users info acting like they are tech support... My bot already kicks based on user name, we got that under control, but now they moved to making their profiles seem like legit support. And...... i can't do anything about it now. |
As builders of Sledgehammer, one of the most prominent security bots on this platform, we've also been wondering about this exact same issue. I also think it's a bit ridiculous that:
|
I find it absolutely appalling that Discord staff see the 'bio' section as a privacy issue with fears of data scraping, especially on a live chat medium. There are THOUSANDS of drone accounts on Discord at this point abusing this feature - those are not using the Discord API like what actual friendly bots do! On the servers that I manage, these bad actors are utilizing the bio segment with emoji icons and text to attempt to look more official, along with links that direct users to scams and other malicious material. In most instances with bad actors, the bio is being used for impersonating moderators and admins that have a hoisted/elevated status on the server. This is the definition of a spamming/impersonation method. As such, Discord should support the bio segment to be interrogated via the API. My bot (along with everyone else's friendly bots) is only seeing part of the story from the API. That does not bode well for anti-spam measures via a bot. On the flipside, there are actual projects/repo's on GitHub that have discord spam tools readily available to auto-generate accounts with varying levels of details (username, display name, bio), auto-join servers, auto-collect the entire servers visible user list, then auto-friend users in the event their spam can't be automatically sent - even well after the accounts have been removed from the server. The spammers in some very recent incidents, appears to be utilizing LLM's to 'chat up' unsuspecting users before they hit them with malicious or scam-related material. Bad actors do not care about Discord's privacy policy or terms of service. If they did, we (server admins and bot developers) wouldn't be seeing this sort of abuse. |
Description
Currently, user bio and banner fields are only returned on the profile endpoint, so they cannot be accessed via bots or OAuth2. It would be useful if they were returned in endpoints that can be accessed.
Why This is Needed
Currently, many sites that support Discord OAuth2 login allow users to input a bio and banner in the site, but if they already have the data set in Discord then they would need to re-enter it. This would allow sites to automatically show the Discord profile information, either as the only option or as the default data if the user has not overridden it in the site. This would also be useful for bots that show a user's general information; iirc some bots also allow setting a custom bio and/or banner.
Alternatives Considered
There is currently no (TOS-abiding) way to programmatically get a user's Discord bio and banner information, so the only current "alternative" is making the user re-enter the data in the other application. Support for that could be added by adding the data to the
/users/:id
endpoint (for bots) and the/users/@me
endpoint (for OAuth2), or giving applications access to the/users/:id/profile
endpoint.Additional Details
It would make sense if this ability is not added until after Profile Customization fully releases (in case of breaking API changes), but it would be nice to get a confirmation if it will be added or not.
The text was updated successfully, but these errors were encountered: