Arc Raiders - Discord SDK Data Exposure

Summary

During gameplay of Arc Raiders, private Discord Direct Message (DM) conversations between two users were found being written in plaintext to a local game log file. Additionally, a full Discord Bearer authentication token was found stored in the same log file. These findings represent serious privacy and security violations that affect all players using Discord integration with the game.

Correction:

I originally reported that the bearer token had the ability to send a message on the user behalf. This was in error due to my misunderstanding of the permission rpc.voice.write. This permission only allows the token holder to change the users voice settings. It does not allow them to send a message as the user. This has been corrected in the article below to give the correct abilities. This message serves as a retraction notice.

Update: This has now been patched.

Affected Files

• Log File Location:

C:\Users\<username>\AppData\Local\PioneerGame\Saved\Logs  

• Log File Name: discord.log
• Discord SDK Version: commit 3b8f3adce7dd1d85463aa700d9185676633e98a1, version 1.8.13395

Risk Summary

Private DM Conversation Content Logged to Disk

Description:
Private Discord Direct Messages exchanged between two users were captured by the game's Discord SDK gateway connection and written in full to a plaintext log file stored locally on the user's machine.

Evidence:

• MESSAGE_CREATE gateway events appearing in the game log file
• Channel type 1 confirmed - this is a private DM channel, not a game or public channel
• Messages between users captured in full
• Message content, timestamps, user IDs, channel IDs all logged in plaintext

The Arc Raiders Discord SDK connects using a full user Bearer token, opening a complete Discord gateway connection identical to the one used by the Discord desktop app itself. Discord's gateway pushes all events to this connection - including private DM messages. Rather than filtering sensitive events, the SDK logs everything it receives to disk.

Impact:

• Any private conversation received while the game is running is written to disk
  
• Log files may be included in crash reports or bug report uploads
  
• Log files may be accessible to other applications on the same machine
  
• Third parties with access to the machine or crash reports can read private conversations
  

Discord Bearer Token Stored in Plaintext Log File

Description:
The user's full Discord Bearer authentication token was found written in plaintext inside the game log file.

Evidence:

"token":"Bearer <redacted>"

(Full token redacted for this report - present in original log file)

A Discord Bearer token is functionally equivalent to account access. Anyone in possession of this token can:

• Read all your messages and DMs
• Access your friend list, servers, and account settings
• Change voice, or discord settings
• Remain logged in until the password is changed

Impact:

• If the log file is ever shared (e.g., in a bug report, on a forum, to a support team), the token is fully exposed
  
• Crash report systems that automatically upload logs would transmit this token to Embark Studios' servers
  
• Malicious software on the same machine could harvest this token from the log file
  

Entire Friends List Presence Data Logged

Description:
PRESENCE_UPDATE and READY_SUPPLEMENTAL gateway events containing the online/offline status, activity, and metadata of the user's entire Discord friends list were written to the log file.

Evidence:

• Multiple PRESENCE_UPDATE events logged for third-party users
  
• READY and READY_SUPPLEMENTAL events containing bulk friend presence data at connection time
  

Impact:

• Third-party users who have no relationship with Arc Raiders have their Discord presence data written to another user's game log file without their knowledge or consent
  
• This affects people who never agreed to Arc Raiders' terms of service
  

Broader Than Necessary Gateway Scope

Description:
The Discord SDK integration requests and maintains a full Discord gateway connection using the user's Bearer token. Discord's own Rich Presence SDK is designed to only require a limited OAuth scope for game activity display. Using a full gateway connection vastly exceeds what is needed for Rich Presence functionality.

Impact:

• Exposes far more user data than necessary for the stated purpose (showing game status in Discord)
  
• Violates the principle of least privilege
  
• Creates unnecessary attack surface for all the findings listed above

For Embark Studios / Arc Raiders

1. Immediately filter MESSAGE_CREATE, PRESENCE_UPDATE, and authentication events from SDK logging
2. Never log Bearer tokens or authentication credentials to any file
3. Reduce the Discord gateway connection scope to only what Rich Presence requires (OAuth, not full Bearer)
4. Audit all crash report and log upload systems to ensure tokens and message content are scrubbed before transmission

For Discord

1. Review SDK design that allows full gateway connections via Bearer tokens for third-party games
2. Enforce stricter OAuth scopes for game Rich Presence integrations
3. Investigate whether this violates Developer Terms of Service

For Affected Users (Immediate Steps)

1. Change your Discord password immediately - this invalidates your current Bearer token
2. Do not share your log files with anyone, including support teams, until the token is removed
3. Disable discord integration inside of Arc Raiders this will remove the information being written to discord.log

This report was prepared based on direct analysis of game log files. All findings are based on observed technical behavior of the Discord SDK integration within Arc Raiders.