The Dangers of Quizbowl Discord Bots

Packet databases and other quizbowl sites, apps, or software should be discussed here.
Post Reply
User avatar
entropy
Wakka
Posts: 107
Joined: Sun Feb 11, 2018 5:03 pm

The Dangers of Quizbowl Discord Bots

Post by entropy »

Recently several Discord bots for quizbowl-related purposes have been created, with a few having been announced on these forums. This is both a cause for celebration, since custom Discord bots can provide extensive functionality, and for caution, because Discord bots are a security risk.

Discord bots work by reading every message in every channel of a server they have access to. When a message is sent in a channel a bot can see, the bot calls a function that handles the message. Usually, all Discord bots do is pass each message through some sort of parser to see if it is a command, and if it is they will act on that command. However, it is possible for a Discord bot to do anything with any message it receives, including logging or storing the message. This is an issue because it means potentially compromising privacy and leaking unclear set content; for example, a Discord bot in a set-writing server has access to every question that is being written for that set, and so the bot's creator would gain access to unclear set content.

This security risk can be mitigated in two ways. First, server owners should grant bots as few permissions as possible. If a bot doesn't need to see a channel, don't let it see that channel. If a bot doesn't need to read message history, don't let it read message history. Give bots in your servers the bare minimum of permissions necessary for it to perform its stated function and nothing else. Second, bot creators should make all their bots open-source, and regularly update their posted code. While it cannot be guaranteed that the version of the bot that is actually being run is the same version of the bot whose source code is publicly visible, making the bot open-source allows some measure of transparency.

Bots that are in 100+ servers need to be verified and whitelisted by Discord to operate; Discord's whitelisting process ensures that verified bots do not pose a security risk to servers they are in. If a Discord bot is verified, it will receive a "verified bot" badge on its user profile. Unfortunately, Discord does not verify bots in fewer than 100 servers, and most quizbowl Discord bots currently have too small an audience to be in 100 servers.
karan
utexas
Post Reply