In a detailed investigation published on his personal blog, Timothy D. Meadows II, a computer engineer and security researcher, has revealed a serious privacy and security vulnerability affecting players of the popular game Arc Raiders. The issue involves the game’s integration with Discord, which was found to be logging sensitive user data—including private messages and authentication tokens—in plaintext on players’ machines.
Findings
Meadows discovered that while playing Arc Raiders, private Discord Direct Messages (DMs) were being written in plaintext to a local log file. Additionally, the user’s full Discord Bearer authentication token was also stored in the same file. These findings represent critical privacy and security risks for all players using the game’s Discord integration.
“During gameplay of Arc Raiders, private Discord Direct Message (DM) conversations between two users were found being written in plaintext to a local game log file,” Meadows wrote. “Additionally, a full Discord Bearer authentication token was found stored in the same log file.”
Correction and Update
Meadows also issued a correction: he initially believed the token could be used to send messages on behalf of the user, but clarified that the permission involved only allows changes to voice settings, not message sending. The article has since been updated to reflect this.
The issue has now been patched by the game’s developers, Embark Studios.
Affected Files and Technical Details
- Log File Location:
C:\Users\<username>\AppData\Local\PioneerGame\Saved\Logs - Log File Name:
discord.log - Discord SDK Version:
Commit3b8f3adce7dd1d85463aa700d9185676633e98a1, version 1.8.13395
What Was Logged?
- Private DMs: Full message content, timestamps, user IDs, and channel IDs were captured in plaintext.
- Bearer Token: The user’s full authentication token was logged, which could allow an attacker to access the user’s account.
- Friends’ Presence Data: Online/offline status and activity of the user’s entire Discord friends list was logged.
Why This Matters
The game’s Discord SDK was using a full gateway connection with the user’s Bearer token, similar to the Discord desktop app. This meant it received and logged all events—including private messages and presence updates—rather than filtering out sensitive data.
Recommendations
For Embark Studios:
- Filter sensitive events (like messages and presence updates) from SDK logs.
- Never log authentication tokens.
- Use the minimum necessary OAuth scope for Rich Presence features.
- Audit crash report systems to prevent sensitive data transmission.
For Discord:
- Review SDK design to prevent full gateway access for games.
- Enforce stricter OAuth scopes for game integrations.
For Users:
- Change your Discord password immediately.
- Do not share log files.
- Disable Discord integration in Arc Raiders until the issue is fully resolved.
Conclusion
Discord’s decision to allow full gateway connections via Bearer tokens for simple game integrations is a glaring design flaw. The platform’s SDK should enforce the principle of least privilege by default, limiting third-party apps to the bare minimum permissions required for their functionality. Instead, developers are left to self-regulate—an approach that has repeatedly failed.
This lack of oversight has resulted in yet another privacy incident affecting millions of users, many of whom are unaware their data is being routed through—and logged by—third-party games.
Source: timothymeadows
Like my content? Support me with a tip!
