A potentially major security flaw has been discovered in Arc Raiders, according to a security blogger, that could put private Discord messages, friends list information and more at risk for players. Embark Studios has informed players it is “conducting a deeper audit” into the problem.
Timothy Meadows, a distributed systems engineer and technical blogger, first published the blog earlier this week, claiming that Arc Raiders is storing private Discord messages, friends list presence data, and Discord Bearer Authentication tokens in log files. This, he claims, occurs if Discord integration is enabled while playing the extraction shooter.
In the blog post, Meadows summarises his findings as such: “During gameplay of Arc Raiders, private Discord Direct Message (DM) conversations between two users were found being written in plaintext to a local game log file. Additionally, a full Discord Bearer authentication token was found stored in the same log file. These findings represent serious privacy and security violations that affect all players using Discord integration with the game.”
According to Meadows Discord DMs between two users – which otherwise would be private – were captured by Arc Raiders’ Discord SDK (software development kit). He notes that in his findings, these were “written in full to a plaintext log file stored locally on the user’s machine.”
He claims this happens because of how the Arc Raiders Discord SDK works. When Discord integration is enabled, it uses the full Discord Bearer authentication token to access data. Think of this as an encrypted pass that allows access to specific Discord data. According to Meadows, more information than expected is gathered as part of this process, including private DM messages. He states: “Rather than filtering sensitive events, the SDK logs everything it receives to disk.”
What this potentially means, if Meadows is correct in his testing, is that private conversations received while the game is running is written to disk, log files of that data may be included in crash reports or bug report uploads, and they may be accessible to other applications on the same machine. As a result, third parties with access to the machine or crash reports could read private conversations and more.
On Meadows’ personal X account, he claims he “Tried to report this to @EmbarkStudios but there [sic] bug bounty program can’t be found. Just a dead link not listed in the @intigriti catalog.”
“There is a pretty big security issue with @ARCRaidersGame discord sdk integration that’s putting people at risk.”
In a statement posted to the official Arc Raiders Discord server, a hotfix is in the works seemingly in response to these findings. It reads: “The team is also working on a hotfix to address an issue where the Discord SDK logged excessive user information. Rest assured that your private and/or personal data was not sent outside your machine and Embark has not (and will not) review or keep such information. We will disable the Discord SDK logging and are conducting a deeper audit to ensure no further issues. If you have questions or concerns, please contact our support team.”
In his blog, Meadows recommends you change your Discord password immediately, do not share your log files with anyone, and disable Discord integreation in Arc Raiders until the issue is resolved.
Eurogamer has contacted Embark Studios and Discord for comment.
